{
	"id": "fb48f7ef-8904-473e-af46-92fe932b625d",
	"created_at": "2026-04-06T15:53:02.653114Z",
	"updated_at": "2026-04-10T03:27:16.172738Z",
	"deleted_at": null,
	"sha1_hash": "2941c57a7f2439b3c81ea4fb91ea9f0f0d6646a7",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49232,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 15:43:39 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Gelsevirine\n Tool: Gelsevirine\nNames Gelsevirine\nCategory Malware\nType Backdoor\nDescription\n(ESET) Gelsevirine is the last stage of the chain and it is called MainPlugin by its\ndevelopers, according to the DLL name and also PDB path found in old samples\n(Z:\\z_code\\Q1\\Client\\Win32\\Release\\MainPlugin.pdb). It’s also worth mentioning that\nif defenders manage to obtain this last stage alone, it won’t run flawlessly since it\nrequires its arguments to be set up by Gelsenicine.\nInformation MITRE ATT\u0026CK Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Gelsevirine\nChanged Name Country Observed\nAPT groups\n Gelsemium 2014-2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=120b6249-69a8-4ffb-80dc-32b483341245\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=120b6249-69a8-4ffb-80dc-32b483341245\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=120b6249-69a8-4ffb-80dc-32b483341245"
	],
	"report_names": [
		"listgroups.cgi?u=120b6249-69a8-4ffb-80dc-32b483341245"
	],
	"threat_actors": [
		{
			"id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424",
			"created_at": "2023-01-06T13:46:39.290101Z",
			"updated_at": "2026-04-10T02:00:03.275981Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"狼毒草"
			],
			"source_name": "MISPGALAXY:Gelsemium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77874718-7ad2-4d15-9831-10935ab9bcbe",
			"created_at": "2022-10-25T15:50:23.619911Z",
			"updated_at": "2026-04-10T02:00:05.349462Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Gelsemium"
			],
			"source_name": "MITRE:Gelsemium",
			"tools": [
				"Gelsemium",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b5550c4e-943a-45ea-bf67-875b989ee4c4",
			"created_at": "2022-10-25T16:07:23.675771Z",
			"updated_at": "2026-04-10T02:00:04.707782Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Operation NightScout",
				"Operation TooHash"
			],
			"source_name": "ETDA:Gelsemium",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"Chrommme",
				"Cobalt Strike",
				"CobaltStrike",
				"FireWood",
				"Gelsemine",
				"Gelsenicine",
				"Gelsevirine",
				"JuicyPotato",
				"OwlProxy",
				"Owowa",
				"SAMRID",
				"SessionManager",
				"SinoChopper",
				"SpoolFool",
				"SweetPotato",
				"WolfsBane",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775490782,
	"ts_updated_at": 1775791636,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2941c57a7f2439b3c81ea4fb91ea9f0f0d6646a7.pdf",
		"text": "https://archive.orkl.eu/2941c57a7f2439b3c81ea4fb91ea9f0f0d6646a7.txt",
		"img": "https://archive.orkl.eu/2941c57a7f2439b3c81ea4fb91ea9f0f0d6646a7.jpg"
	}
}