{
	"id": "aea5eb1d-d328-4e7e-983a-dcdaf05fdcf2",
	"created_at": "2026-04-06T03:37:01.226167Z",
	"updated_at": "2026-04-10T03:36:19.005117Z",
	"deleted_at": null,
	"sha1_hash": "31fd9f8a0a7b5189818c06bddb89fb8f1a1fa98d",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47171,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 03:20:07 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool VELVETTAP\n Tool: VELVETTAP\nNames VELVETTAP\nCategory Malware\nType Info stealer\nDescription\n(Sygnia) A tool with the ability to capture network packets. The binary was executed on the F5\nappliance with the argument ‘mgmt’, which is the name of the internal NIC of the F5 device.\nInformation Last change to this tool card: 19 June 2024\nDownload this tool card in JSON format\nAll groups using tool VELVETTAP\nChanged Name Country Observed\nAPT groups\n Velvet Ant 2023-Jul 2024\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=336b85dd-d6c6-4b6d-9f31-4d3c0e8b1182\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=336b85dd-d6c6-4b6d-9f31-4d3c0e8b1182\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=336b85dd-d6c6-4b6d-9f31-4d3c0e8b1182"
	],
	"report_names": [
		"listgroups.cgi?u=336b85dd-d6c6-4b6d-9f31-4d3c0e8b1182"
	],
	"threat_actors": [
		{
			"id": "822063cf-d9bd-499a-9715-70d95881378f",
			"created_at": "2025-04-23T02:00:55.295207Z",
			"updated_at": "2026-04-10T02:00:05.254566Z",
			"deleted_at": null,
			"main_name": "Velvet Ant",
			"aliases": [
				"Velvet Ant"
			],
			"source_name": "MITRE:Velvet Ant",
			"tools": [
				"PlugX",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0c0d8f44-d131-41c8-a693-efb687e777f1",
			"created_at": "2024-06-20T02:02:10.211899Z",
			"updated_at": "2026-04-10T02:00:04.962606Z",
			"deleted_at": null,
			"main_name": "Velvet Ant",
			"aliases": [],
			"source_name": "ETDA:Velvet Ant",
			"tools": [
				"Agent.dhwf",
				"Destroy RAT",
				"DestroyRAT",
				"ESRDE",
				"Kaba",
				"Korplug",
				"POISONPLUG.SHADOW",
				"PlugX",
				"RedDelta",
				"SAMRID",
				"ShadowPad Winnti",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"VELVETSTING",
				"VELVETTAP",
				"XShellGhost",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446621,
	"ts_updated_at": 1775792179,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/31fd9f8a0a7b5189818c06bddb89fb8f1a1fa98d.pdf",
		"text": "https://archive.orkl.eu/31fd9f8a0a7b5189818c06bddb89fb8f1a1fa98d.txt",
		"img": "https://archive.orkl.eu/31fd9f8a0a7b5189818c06bddb89fb8f1a1fa98d.jpg"
	}
}