{
	"id": "5d4cb62e-1cd9-401d-98f4-da71cb8ca4b5",
	"created_at": "2026-04-06T00:21:18.474772Z",
	"updated_at": "2026-04-10T03:31:25.839917Z",
	"deleted_at": null,
	"sha1_hash": "1ea4252300aadd76fefc09265c2b8eb215f742b1",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54431,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:59:17 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool VIDEOKILLER\r\n Tool: VIDEOKILLER\r\nNames VIDEOKILLER\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(FireEye) VIDEOKILLER is a .NET backdoor similar to RADIOSTAR that handles\r\ncommands from the C\u0026C server. It masquerades as conhost.exe. The majority of strings it\r\ncontains are Base64 encoded, though some are not, such as the string “It’s Ok” which is\r\npotentially used for logging throughout execution.\r\nInformation \u003chttps://content.fireeye.com/web-assets/rpt-unc1151-ghostwriter-update\u003e\r\nLast change to this tool card: 15 May 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool VIDEOKILLER\r\nChanged Name Country Observed\r\nAPT groups\r\n  Operation Ghostwriter 2017-Jan 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=989eb461-9f94-496a-a0c1-9218ab31462f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=989eb461-9f94-496a-a0c1-9218ab31462f\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=989eb461-9f94-496a-a0c1-9218ab31462f"
	],
	"report_names": [
		"listgroups.cgi?u=989eb461-9f94-496a-a0c1-9218ab31462f"
	],
	"threat_actors": [
		{
			"id": "f29188d8-2750-4099-9199-09a516c58314",
			"created_at": "2025-08-07T02:03:25.068489Z",
			"updated_at": "2026-04-10T02:00:03.827361Z",
			"deleted_at": null,
			"main_name": "MOONSCAPE",
			"aliases": [
				"TA445 ",
				"UAC-0051 ",
				"UNC1151 "
			],
			"source_name": "Secureworks:MOONSCAPE",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "119c8bea-816e-4799-942b-ff375026671e",
			"created_at": "2022-10-25T16:07:23.957309Z",
			"updated_at": "2026-04-10T02:00:04.807212Z",
			"deleted_at": null,
			"main_name": "Operation Ghostwriter",
			"aliases": [
				"DEV-0257",
				"Operation Asylum Ambuscade",
				"PUSHCHA",
				"Storm-0257",
				"TA445",
				"UAC-0051",
				"UAC-0057",
				"UNC1151",
				"White Lynx"
			],
			"source_name": "ETDA:Operation Ghostwriter",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"HALFSHELL",
				"Impacket",
				"RADIOSTAR",
				"VIDEOKILLER",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73",
			"created_at": "2023-01-06T13:46:39.195689Z",
			"updated_at": "2026-04-10T02:00:03.243054Z",
			"deleted_at": null,
			"main_name": "Ghostwriter",
			"aliases": [
				"UAC-0057",
				"UNC1151",
				"TA445",
				"PUSHCHA",
				"Storm-0257",
				"DEV-0257"
			],
			"source_name": "MISPGALAXY:Ghostwriter",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434878,
	"ts_updated_at": 1775791885,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1ea4252300aadd76fefc09265c2b8eb215f742b1.pdf",
		"text": "https://archive.orkl.eu/1ea4252300aadd76fefc09265c2b8eb215f742b1.txt",
		"img": "https://archive.orkl.eu/1ea4252300aadd76fefc09265c2b8eb215f742b1.jpg"
	}
}