{
	"id": "a98628d2-f37c-44e7-b4d0-46a84bf1b637",
	"created_at": "2026-04-06T00:06:18.906515Z",
	"updated_at": "2026-04-10T13:12:19.077037Z",
	"deleted_at": null,
	"sha1_hash": "faf5a53e128f5c547d7a38c74a31fbf83e4d6fd9",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52243,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:04:51 UTC\nHome \u003e List all groups \u003e Deceptikons, DeathStalker\n APT group: Deceptikons, DeathStalker\nNames\nDeceptikons (Kaspersky)\nDeathStalker (Kaspersky)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2012\nDescription\n(Kaspersky) In this blog post, we’ll be focusing on DeathStalker: a unique threat\ngroup that appears to target law firms and companies in the financial sector\n(although we’ve occasionally seen them in other verticals as well). As far as we can\ntell, this actor isn’t motivated by financial gain. They don’t deploy ransomware, steal\npayment information to resell it, or engage in any type of activity commonly\nassociated with the cybercrime underworld. Their interest in gathering sensitive\nbusiness information leads us to believe that DeathStalker is a group of mercenaries\noffering hacking-for-hire services, or acting as some sort of information broker in\nfinancial circles.\nDeathStalker first came to our attention through a PowerShell-based implant called\nPowersing. By unraveling this thread, we were able to identify activities dating back\nto 2018, and possibly even 2012.\nThere is activity overlap with Evilnum.\nObserved\nSectors: Financial and law firms.\nCountries: Argentina, China, Cyprus, India, Israel, Jordan, Lebanon, Russia,\nSwitzerland, Taiwan, Turkey, UAE, UK.\nTools used Evilnum, Janicab, PowerPepper, Powersing, VileRAT.\nOperations performed\n2020\nDeathStalker targets legal entities with new Janicab variant\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=55986798-f21d-4c64-9f5b-57676bf32241\nPage 1 of 2\n\nMay 2020\nMeet PowerPepper: the spicy implant that your bland scripts setup\nneeded\nJun 2020\nVileRAT: DeathStalker’s continuous strike at foreign and\ncryptocurrency exchanges\nInformation\nLast change to this card: 27 December 2022\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=55986798-f21d-4c64-9f5b-57676bf32241\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=55986798-f21d-4c64-9f5b-57676bf32241\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=55986798-f21d-4c64-9f5b-57676bf32241"
	],
	"report_names": [
		"showcard.cgi?u=55986798-f21d-4c64-9f5b-57676bf32241"
	],
	"threat_actors": [
		{
			"id": "059b16f8-d4e0-4399-9add-18101a2fd298",
			"created_at": "2022-10-25T15:50:23.29434Z",
			"updated_at": "2026-04-10T02:00:05.380938Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"Evilnum"
			],
			"source_name": "MITRE:Evilnum",
			"tools": [
				"More_eggs",
				"EVILNUM",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f7aa6029-2b01-4eee-8fe6-287330e087c9",
			"created_at": "2022-10-25T16:07:23.536763Z",
			"updated_at": "2026-04-10T02:00:04.646542Z",
			"deleted_at": null,
			"main_name": "Deceptikons",
			"aliases": [
				"DeathStalker",
				"Deceptikons"
			],
			"source_name": "ETDA:Deceptikons",
			"tools": [
				"EVILNUM",
				"Evilnum",
				"Janicab",
				"PowerPepper",
				"Powersing",
				"VileRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd",
			"created_at": "2023-01-06T13:46:39.153487Z",
			"updated_at": "2026-04-10T02:00:03.232006Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"EvilNum",
				"Jointworm",
				"KNOCKOUT SPIDER",
				"DeathStalker",
				"TA4563"
			],
			"source_name": "MISPGALAXY:Evilnum",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "39ea99fb-1704-445d-b5cd-81e7c99d6012",
			"created_at": "2022-10-25T16:07:23.601894Z",
			"updated_at": "2026-04-10T02:00:04.684134Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"G0120",
				"Jointworm",
				"Operation Phantom in the [Command] Shell",
				"TA4563"
			],
			"source_name": "ETDA:Evilnum",
			"tools": [
				"Bypass-UAC",
				"Cardinal RAT",
				"ChromeCookiesView",
				"EVILNUM",
				"Evilnum",
				"IronPython",
				"LaZagne",
				"MailPassView",
				"More_eggs",
				"ProduKey",
				"PyVil",
				"PyVil RAT",
				"SONE",
				"SpicyOmelette",
				"StealerOne",
				"Taurus Loader Stealer Module",
				"Taurus Loader TeamViewer Module",
				"Terra Loader",
				"TerraPreter",
				"TerraStealer",
				"TerraTV"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433978,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/faf5a53e128f5c547d7a38c74a31fbf83e4d6fd9.pdf",
		"text": "https://archive.orkl.eu/faf5a53e128f5c547d7a38c74a31fbf83e4d6fd9.txt",
		"img": "https://archive.orkl.eu/faf5a53e128f5c547d7a38c74a31fbf83e4d6fd9.jpg"
	}
}