{
	"id": "5235ce82-4b7c-41a1-913b-630ef939f87c",
	"created_at": "2026-04-06T01:30:20.276825Z",
	"updated_at": "2026-04-10T13:11:43.125638Z",
	"deleted_at": null,
	"sha1_hash": "01a86136c4f365460e3c1c2811c3917a7cfd0416",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49312,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 00:28:10 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool EvilBunny\n Tool: EvilBunny\nNames EvilBunny\nCategory Malware\nType Backdoor\nDescription\n(Infosec Institute) EvilBunny is written in C++ and is able to detect installed antivirus\nand other defensive solutions. It includes a Lua 5.1 interpreter, which allows the\nspyware to execute Lua scripts and change its behavior at runtime.\nThe experts discovered that EvilBunny is able to receive commands from the C\u0026C\nserver at least in three different ways, via HTTP, through a downloaded database file or\nas a scheduled task.\nThe EvilBunny malware was initially delivered through a malicious PDF document,\nexploiting CVE-2011-4369. Once compromised the target the malware is loaded onto\nthe system and infects the PC with EvilBunny malware.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool EvilBunny\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dbcec021-bbde-487d-85e3-684c4fb7e9bb\nPage 1 of 2\n\nAPT groups\r\n  Snowglobe, Animal Farm 2011  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dbcec021-bbde-487d-85e3-684c4fb7e9bb\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dbcec021-bbde-487d-85e3-684c4fb7e9bb\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dbcec021-bbde-487d-85e3-684c4fb7e9bb"
	],
	"report_names": [
		"listgroups.cgi?u=dbcec021-bbde-487d-85e3-684c4fb7e9bb"
	],
	"threat_actors": [
		{
			"id": "e09a7338-fb16-4e39-b579-c3bfc3140c47",
			"created_at": "2022-10-25T16:07:24.207294Z",
			"updated_at": "2026-04-10T02:00:04.899166Z",
			"deleted_at": null,
			"main_name": "Snowglobe",
			"aliases": [
				"ATK 8",
				"Animal Farm",
				"SIG20",
				"Snowglobe"
			],
			"source_name": "ETDA:Snowglobe",
			"tools": [
				"Babar",
				"Casper",
				"Chocopop",
				"Dino",
				"EvilBunny",
				"Nbot",
				"TFC",
				"Tafacalou"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "548a4081-aa8f-4e2a-bcb3-0c9dfa61944f",
			"created_at": "2023-01-06T13:46:38.443779Z",
			"updated_at": "2026-04-10T02:00:02.977564Z",
			"deleted_at": null,
			"main_name": "SNOWGLOBE",
			"aliases": [
				"Animal Farm",
				"Snowglobe",
				"ATK8"
			],
			"source_name": "MISPGALAXY:SNOWGLOBE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439020,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/01a86136c4f365460e3c1c2811c3917a7cfd0416.pdf",
		"text": "https://archive.orkl.eu/01a86136c4f365460e3c1c2811c3917a7cfd0416.txt",
		"img": "https://archive.orkl.eu/01a86136c4f365460e3c1c2811c3917a7cfd0416.jpg"
	}
}