{
	"id": "29b83f2f-8aae-4dea-bbe7-091119a538fa",
	"created_at": "2026-04-06T00:13:33.181309Z",
	"updated_at": "2026-04-10T03:30:36.198343Z",
	"deleted_at": null,
	"sha1_hash": "efd2087e557a7f247c9933d2a1af67e791e7eb20",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57472,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:51:19 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Apostle\n Tool: Apostle\nNames Apostle\nCategory Malware\nType Wiper, Ransomware\nDescription\n(SentinelLabs) One of the wipers used in the attack, dubbed ‘Apostle’, was later turned\ninto a fully functional ransomware, replacing its wiper functionalities. The message\ninside it suggests it was used to target a critical, nation-owned facility in the United Arab\nEmirates. The similarity to its wiper version, as well as the nature of the target in the\ncontext of regional disputes, leads us to believe that the operators behind it are utilizing\nransomware for its disruptive capabilities.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool Apostle\nChanged Name Country Observed\nAPT groups\n Agrius 2020-May 2023\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8bce8d3a-ca82-4e2a-8fe3-87f4c2f83382\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8bce8d3a-ca82-4e2a-8fe3-87f4c2f83382\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8bce8d3a-ca82-4e2a-8fe3-87f4c2f83382\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8bce8d3a-ca82-4e2a-8fe3-87f4c2f83382"
	],
	"report_names": [
		"listgroups.cgi?u=8bce8d3a-ca82-4e2a-8fe3-87f4c2f83382"
	],
	"threat_actors": [
		{
			"id": "21e01940-3851-417f-9e90-1a4a2da07033",
			"created_at": "2022-10-25T16:07:23.299369Z",
			"updated_at": "2026-04-10T02:00:04.527895Z",
			"deleted_at": null,
			"main_name": "Agrius",
			"aliases": [
				"AMERICIUM",
				"Agonizing Serpens",
				"BlackShadow",
				"DEV-0227",
				"Pink Sandstorm",
				"SharpBoys",
				"Spectral Kitten"
			],
			"source_name": "ETDA:Agrius",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agrius",
				"BFG Agonizer",
				"BFG Agonizer Wiper",
				"DEADWOOD",
				"DETBOSIT",
				"Detbosit",
				"IPsec Helper",
				"Moneybird",
				"MultiLayer Wiper",
				"PW",
				"PartialWasher",
				"PartialWasher Wiper",
				"SQLShred",
				"Sqlextractor"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e",
			"created_at": "2025-08-07T02:03:24.783147Z",
			"updated_at": "2026-04-10T02:00:03.664754Z",
			"deleted_at": null,
			"main_name": "COBALT SHADOW",
			"aliases": [
				"AMERICIUM ",
				"Agonizing Serpens ",
				"Agrius",
				"Agrius ",
				"BlackShadow",
				"DEV-0227 ",
				"Justice Blade ",
				"Malek Team",
				"Malek Team ",
				"MoneyBird ",
				"Pink Sandstorm ",
				"Sharp Boyz ",
				"Spectral Kitten "
			],
			"source_name": "Secureworks:COBALT SHADOW",
			"tools": [
				"Apostle",
				"DEADWOOD",
				"Fantasy wiper",
				"IPsec Helper",
				"MiniDump",
				"Moneybird ransomware",
				"Sandals",
				"SecretsDump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4023e661-f566-4b5b-a06f-9d370403f074",
			"created_at": "2024-02-02T02:00:04.064685Z",
			"updated_at": "2026-04-10T02:00:03.547155Z",
			"deleted_at": null,
			"main_name": "Pink Sandstorm",
			"aliases": [
				"AMERICIUM",
				"BlackShadow",
				"DEV-0022",
				"Agrius",
				"Agonizing Serpens",
				"UNC2428",
				"Black Shadow",
				"SPECTRAL KITTEN"
			],
			"source_name": "MISPGALAXY:Pink Sandstorm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7d982d5b-3428-483c-8804-c3ab774f1861",
			"created_at": "2024-11-01T02:00:52.70975Z",
			"updated_at": "2026-04-10T02:00:05.357255Z",
			"deleted_at": null,
			"main_name": "Agrius",
			"aliases": [
				"Agrius",
				"Pink Sandstorm",
				"AMERICIUM",
				"Agonizing Serpens",
				"BlackShadow"
			],
			"source_name": "MITRE:Agrius",
			"tools": [
				"NBTscan",
				"Mimikatz",
				"IPsec Helper",
				"Moneybird",
				"MultiLayer Wiper",
				"DEADWOOD",
				"BFG Agonizer",
				"ASPXSpy"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434413,
	"ts_updated_at": 1775791836,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/efd2087e557a7f247c9933d2a1af67e791e7eb20.pdf",
		"text": "https://archive.orkl.eu/efd2087e557a7f247c9933d2a1af67e791e7eb20.txt",
		"img": "https://archive.orkl.eu/efd2087e557a7f247c9933d2a1af67e791e7eb20.jpg"
	}
}