{
	"id": "250b8dc8-eb7f-43a8-b9c3-d17005f63973",
	"created_at": "2026-04-06T00:13:26.146637Z",
	"updated_at": "2026-04-10T13:11:41.767072Z",
	"deleted_at": null,
	"sha1_hash": "02ebca67817643aa123a3c4bf5e9bd3686191e7f",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47628,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:43:44 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Gelsenicine\n Tool: Gelsenicine\nNames Gelsenicine\nCategory Malware\nType Loader\nDescription\n(ESET) Gelsenicine is a loader that retrieves Gelsevirine and executes it. There are two\ndifferent versions of the loader – both of them are DLLs; however, they differ in the\ncontext where Gelsemine is executed.\nInformation MITRE ATT\u0026CK Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Gelsenicine\nChanged Name Country Observed\nAPT groups\n Gelsemium 2014-2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=88332db7-b2a7-483a-87ce-5d774c9f74dc\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=88332db7-b2a7-483a-87ce-5d774c9f74dc\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=88332db7-b2a7-483a-87ce-5d774c9f74dc"
	],
	"report_names": [
		"listgroups.cgi?u=88332db7-b2a7-483a-87ce-5d774c9f74dc"
	],
	"threat_actors": [
		{
			"id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424",
			"created_at": "2023-01-06T13:46:39.290101Z",
			"updated_at": "2026-04-10T02:00:03.275981Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"狼毒草"
			],
			"source_name": "MISPGALAXY:Gelsemium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77874718-7ad2-4d15-9831-10935ab9bcbe",
			"created_at": "2022-10-25T15:50:23.619911Z",
			"updated_at": "2026-04-10T02:00:05.349462Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Gelsemium"
			],
			"source_name": "MITRE:Gelsemium",
			"tools": [
				"Gelsemium",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b5550c4e-943a-45ea-bf67-875b989ee4c4",
			"created_at": "2022-10-25T16:07:23.675771Z",
			"updated_at": "2026-04-10T02:00:04.707782Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Operation NightScout",
				"Operation TooHash"
			],
			"source_name": "ETDA:Gelsemium",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"Chrommme",
				"Cobalt Strike",
				"CobaltStrike",
				"FireWood",
				"Gelsemine",
				"Gelsenicine",
				"Gelsevirine",
				"JuicyPotato",
				"OwlProxy",
				"Owowa",
				"SAMRID",
				"SessionManager",
				"SinoChopper",
				"SpoolFool",
				"SweetPotato",
				"WolfsBane",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434406,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/02ebca67817643aa123a3c4bf5e9bd3686191e7f.pdf",
		"text": "https://archive.orkl.eu/02ebca67817643aa123a3c4bf5e9bd3686191e7f.txt",
		"img": "https://archive.orkl.eu/02ebca67817643aa123a3c4bf5e9bd3686191e7f.jpg"
	}
}