{ "id": "ecdc85b2-0d24-4ee8-b860-1385254798c1", "created_at": "2026-04-06T01:31:18.953009Z", "updated_at": "2026-04-10T03:34:14.877956Z", "deleted_at": null, "sha1_hash": "fc02c0cc8b3e5c29e82145a989628f7861094242", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49579, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 01:05:24 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SPICA\n Tool: SPICA\nNames SPICA\nCategory Malware\nType Backdoor, Reconnaissance, Credential stealer, Info stealer, Downloader, Exfiltration\nDescription\n(Google) SPICA is written in Rust, and uses JSON over websockets for command and\ncontrol (C2). It supports a number of commands including:\n• Executing arbitrary shell commands\n• Stealing cookies from Chrome, Firefox, Opera and Edge\n• Uploading and downloading files\n• Perusing the filesystem by listing the contents of it\n• Enumerating documents and exfiltrating them in an archive\n• There is also a command called “telegram,” but the functionality of this command is\nunclear\nOnce executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a\ndecoy for the user. In the background, it establishes persistence and starts the main C2\nloop, waiting for commands to execute.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool SPICA\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=070ba31e-1ec7-411f-9325-57391a1ca6cc\nPage 1 of 2\n\nAPT groups\r\n  Cold River 2019-Jan 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=070ba31e-1ec7-411f-9325-57391a1ca6cc\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=070ba31e-1ec7-411f-9325-57391a1ca6cc\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=070ba31e-1ec7-411f-9325-57391a1ca6cc" ], "report_names": [ "listgroups.cgi?u=070ba31e-1ec7-411f-9325-57391a1ca6cc" ], "threat_actors": [ { "id": "68d50d91-7569-4e09-b155-98b23b23918a", "created_at": "2023-01-06T13:46:38.877268Z", "updated_at": "2026-04-10T02:00:03.130232Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Nahr Elbard", "Nahr el bared" ], "source_name": "MISPGALAXY:Cold River", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439078, "ts_updated_at": 1775792054, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc02c0cc8b3e5c29e82145a989628f7861094242.pdf", "text": "https://archive.orkl.eu/fc02c0cc8b3e5c29e82145a989628f7861094242.txt", "img": "https://archive.orkl.eu/fc02c0cc8b3e5c29e82145a989628f7861094242.jpg" } }