{
	"id": "fe440b08-3648-46c1-b66c-242b54b75d27",
	"created_at": "2026-04-06T00:22:15.818609Z",
	"updated_at": "2026-04-10T03:30:01.843617Z",
	"deleted_at": null,
	"sha1_hash": "35c043c507e24e345d77ae2364ab0e9245ea8f6a",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53152,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:32:06 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool TriFive\n Tool: TriFive\nNames TriFive\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) TriFive is a previously unseen PowerShell-based backdoor that the xHunt actors\ninstalled on the compromised Exchange server, executing every five minutes via a scheduled\ntask. TriFive provided backdoor access to the Exchange server by logging into a legitimate\nuser’s inbox and obtaining a PowerShell script from an email draft within the deleted emails\nfolder. The TriFive sample used a legitimate account name and credentials from the targeted\norganization. This suggests that the threat actor had stolen the account’s credentials prior to the\ninstallation of the TriFive backdoor.\nInformation Last change to this tool card: 20 January 2021\nDownload this tool card in JSON format\nAll groups using tool TriFive\nChanged Name Country Observed\nAPT groups\n xHunt 2018-Aug 2019\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b63f65e-6d5f-4ab4-b64f-750309ace196\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b63f65e-6d5f-4ab4-b64f-750309ace196\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b63f65e-6d5f-4ab4-b64f-750309ace196"
	],
	"report_names": [
		"listgroups.cgi?u=3b63f65e-6d5f-4ab4-b64f-750309ace196"
	],
	"threat_actors": [
		{
			"id": "20bc5b83-9ea0-4e60-a23e-19bf203dc9fb",
			"created_at": "2022-10-25T16:07:24.432777Z",
			"updated_at": "2026-04-10T02:00:04.986077Z",
			"deleted_at": null,
			"main_name": "xHunt",
			"aliases": [
				"Cobalt Katana",
				"Hive0081",
				"Hunter Serpens",
				"SectorD01"
			],
			"source_name": "ETDA:xHunt",
			"tools": [
				"CASHY200",
				"COLDTRAIN",
				"Gon",
				"Hisoka",
				"Killua",
				"Netero",
				"SHELLSTING",
				"Sakabota",
				"Snugy",
				"TriFive"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434935,
	"ts_updated_at": 1775791801,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/35c043c507e24e345d77ae2364ab0e9245ea8f6a.pdf",
		"text": "https://archive.orkl.eu/35c043c507e24e345d77ae2364ab0e9245ea8f6a.txt",
		"img": "https://archive.orkl.eu/35c043c507e24e345d77ae2364ab0e9245ea8f6a.jpg"
	}
}