{ "id": "c3940218-1db4-47a2-9491-0208163a8256", "created_at": "2026-04-06T00:21:23.061818Z", "updated_at": "2026-04-10T03:35:37.636412Z", "deleted_at": null, "sha1_hash": "fdf8575d49c87394c3ef2a952d6898d7b33bb506", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47373, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:58:37 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Graphiron\r\n Tool: Graphiron\r\nNames Graphiron\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Credential stealer\r\nDescription\r\n(Symantec) Graphiron is a two-stage threat consisting of a downloader\r\n(Downloader.Graphiron) and a payload (Infostealer.Graphiron).\r\nThe payload is capable of carrying out the following tasks:\r\n• Reads MachineGuid\r\n• Obtains the IP address from https://checkip.amazonaws.com\r\n• Retrieves the hostname, system info, and user info\r\n• Steals data from Firefox and Thunderbird\r\n• Steals private keys from MobaXTerm.\r\n• Steals SSH known hosts\r\n• Steals data from PuTTY\r\n• Steals stored passwords\r\n• Takes screenshots\r\n• Creates a directory\r\n• Lists a directory\r\n• Runs a shell command\r\n• Steals an arbitrary file\r\nInformation\r\n\u003chttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.graphiron\u003e\r\nLast change to this tool card: 22 June 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool Graphiron\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b99018f-62bf-4df9-9a0f-c6209ba5c734\r\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  SaintBear, Lorec53 2021-Oct 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b99018f-62bf-4df9-9a0f-c6209ba5c734\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b99018f-62bf-4df9-9a0f-c6209ba5c734\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b99018f-62bf-4df9-9a0f-c6209ba5c734" ], "report_names": [ "listgroups.cgi?u=6b99018f-62bf-4df9-9a0f-c6209ba5c734" ], "threat_actors": [ { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434883, "ts_updated_at": 1775792137, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fdf8575d49c87394c3ef2a952d6898d7b33bb506.pdf", "text": "https://archive.orkl.eu/fdf8575d49c87394c3ef2a952d6898d7b33bb506.txt", "img": "https://archive.orkl.eu/fdf8575d49c87394c3ef2a952d6898d7b33bb506.jpg" } }