{ "id": "3c7493e5-4b98-4f01-9107-2c0d6ac25228", "created_at": "2026-04-06T00:10:10.128931Z", "updated_at": "2026-04-10T03:29:29.284252Z", "deleted_at": null, "sha1_hash": "27b064c89d5f2f70d03864d66cc67836036846db", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49386, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 12:39:20 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ShadowNet\n Tool: ShadowNet\nNames ShadowNet\nCategory Malware\nType Backdoor, Info stealer, Exfiltration\nDescription\n(Citizen Lab) ShadowNet malware leverages Windows Management Instrumentation (WMI),\na system tool meant for administrators. Its intended usage as a tool for collecting system\ninformation and automation makes it an ideal mechanism for gathering and exfiltrating data.\nThe use of legitimate Windows features can make it more difficult for administrators to\nidentify activity as malicious.\nShadowNet typically uses multi-layered C2 infrastructure that first connects to blog websites\nand then retrieves C2 information from encoded strings left on the blog. By using blog sites as\nintermediaries the attackers can maintain control of compromised machines even if a C2 is\nblocked by a network firewall or otherwise goes down. If a C2 needs to be updated the\nattackers can simply point the intermediaries to new servers.\nInformation Last change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool ShadowNet\nChanged Name Country Observed\nAPT groups\n Shadow Network 2010-2010\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=93ab0ca2-e9e1-422e-b35e-04fe80d4974d\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=93ab0ca2-e9e1-422e-b35e-04fe80d4974d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=93ab0ca2-e9e1-422e-b35e-04fe80d4974d\r\nPage 2 of 2\n\nAPT groups Shadow Network 2010-2010 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=93ab0ca2-e9e1-422e-b35e-04fe80d4974d" ], "report_names": [ "listgroups.cgi?u=93ab0ca2-e9e1-422e-b35e-04fe80d4974d" ], "threat_actors": [ { "id": "c398d083-1e86-4cee-8937-eb057f0e6fdc", "created_at": "2022-10-25T16:07:24.172423Z", "updated_at": "2026-04-10T02:00:04.888972Z", "deleted_at": null, "main_name": "Shadow Network", "aliases": [], "source_name": "ETDA:Shadow Network", "tools": [ "ShadowNet" ], "source_id": "ETDA", "reports": null }, { "id": "172e5e21-e954-4322-9317-41f2cbaed7f1", "created_at": "2023-01-06T13:46:38.992713Z", "updated_at": "2026-04-10T02:00:03.174179Z", "deleted_at": null, "main_name": "Shadow Network", "aliases": [], "source_name": "MISPGALAXY:Shadow Network", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434210, "ts_updated_at": 1775791769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/27b064c89d5f2f70d03864d66cc67836036846db.pdf", "text": "https://archive.orkl.eu/27b064c89d5f2f70d03864d66cc67836036846db.txt", "img": "https://archive.orkl.eu/27b064c89d5f2f70d03864d66cc67836036846db.jpg" } }