{
	"id": "cfe76099-1875-42a3-91ef-58548d0addc1",
	"created_at": "2026-04-06T00:21:18.4663Z",
	"updated_at": "2026-04-10T13:12:23.529312Z",
	"deleted_at": null,
	"sha1_hash": "f76ac9e1591a8fa3962c51908039b84ba6b886c4",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43483,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:43:40 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool STEELHOUND\r\n Tool: STEELHOUND\r\nNames STEELHOUND\r\nCategory Malware\r\nType Dropper\r\nDescription\r\n(Mandiant) Mandiant discovered UNC2891 leveraging a similar (STEELCORGI) in-memory\r\ndropper that also used environment variables to decrypt its embedded payload but instead\r\nrelied on RC4 encryption, we have named this STEELHOUND. In addition to functioning as\r\ndropper for an embedded payload, STEELHOUND is also able to encrypt new payloads by\r\nencrypting a target binary and writing it to disk along with a copy of itself and an end-of-file\r\nconfiguration.\r\nInformation \u003chttps://www.mandiant.com/resources/unc2891-overview\u003e\r\nLast change to this tool card: 03 April 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool STEELHOUND\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC2891 [Unknown] 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7ba6ed83-c174-4edc-8e35-1a8ad536b511\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7ba6ed83-c174-4edc-8e35-1a8ad536b511\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7ba6ed83-c174-4edc-8e35-1a8ad536b511"
	],
	"report_names": [
		"listgroups.cgi?u=7ba6ed83-c174-4edc-8e35-1a8ad536b511"
	],
	"threat_actors": [
		{
			"id": "8b0219d5-cb32-4702-a4d6-7de8beb9b7a8",
			"created_at": "2022-10-25T16:07:24.364598Z",
			"updated_at": "2026-04-10T02:00:04.955871Z",
			"deleted_at": null,
			"main_name": "UNC2891",
			"aliases": [],
			"source_name": "ETDA:UNC2891",
			"tools": [
				"BINBASH",
				"CAKETAP",
				"MIGLOGCLEANER",
				"SLAPSTICK",
				"STEELCORGI",
				"STEELHOUND",
				"SUN4ME",
				"Tiny SHell",
				"WINGCRACK",
				"WINGHOOK",
				"WIPERIGHT",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434878,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f76ac9e1591a8fa3962c51908039b84ba6b886c4.pdf",
		"text": "https://archive.orkl.eu/f76ac9e1591a8fa3962c51908039b84ba6b886c4.txt",
		"img": "https://archive.orkl.eu/f76ac9e1591a8fa3962c51908039b84ba6b886c4.jpg"
	}
}