{ "id": "be127218-d6b1-4f1f-ae69-b6f29e117b18", "created_at": "2026-04-06T00:19:44.605563Z", "updated_at": "2026-04-10T03:24:56.658085Z", "deleted_at": null, "sha1_hash": "f3fd458a0f75354a08a09c23fd408569fb651e90", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50542, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:14:51 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool FlowCloud\r\n Tool: FlowCloud\r\nNames FlowCloud\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Keylogger, Info stealer, Exfiltration\r\nDescription\r\n(Proofpoint) While we found the ultimate execution method for both the LookBack GUP\r\nProxy Tool and FlowCloud malware were the same across both macro versions, we found\r\nthat the FlowCloud macro introduced a new method for the delivery of the malware.\r\nFlowCloud malware is capable of RAT functionalities based on its available commands\r\nincluding accessing the clipboard, installed applications, keyboard, mouse, screen, files,\r\nservices, and processes with the ability to exfiltrate information via command and control.\r\nAdditionally, the malware variants analyzed have several distinct characteristics that\r\nindicate the malware may have been active in the threat landscape since at least July 2016.\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\u003e\r\n\u003chttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\u003e\r\n\u003chttps://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape\u003e\r\n\u003chttps://nao-sec.org/2021/01/royal-road-redive.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:FlowCloud\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool FlowCloud\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1f53d01d-537d-46d0-969f-7971d49db920\r\nPage 1 of 2\n\nAPT groups\r\n  LookBack, TA410 [Unknown] 2019-Feb 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1f53d01d-537d-46d0-969f-7971d49db920\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1f53d01d-537d-46d0-969f-7971d49db920\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1f53d01d-537d-46d0-969f-7971d49db920" ], "report_names": [ "listgroups.cgi?u=1f53d01d-537d-46d0-969f-7971d49db920" ], "threat_actors": [ { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434784, "ts_updated_at": 1775791496, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f3fd458a0f75354a08a09c23fd408569fb651e90.pdf", "text": "https://archive.orkl.eu/f3fd458a0f75354a08a09c23fd408569fb651e90.txt", "img": "https://archive.orkl.eu/f3fd458a0f75354a08a09c23fd408569fb651e90.jpg" } }