{
	"id": "5e3c9408-9ab7-437c-85a2-916a38ce9c25",
	"created_at": "2026-04-06T00:12:39.567115Z",
	"updated_at": "2026-04-10T03:29:45.421539Z",
	"deleted_at": null,
	"sha1_hash": "3620a7a67692328b4420d1ebd55e3a8026faadec",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57180,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 11:37:24 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Bvp47\n Tool: Bvp47\nNames Bvp47\nCategory Malware\nType Backdoor, Rootkit\nDescription\n(Pangu Lab) In a certain month of 2013, during an in-depth forensic investigation of a host in a\nkey domestic department, researchers from the Pangu Lab extracted a set of advanced\nbackdoors on the Linux platform, which used advanced covert channel behavior based on TCP\nSYN packets, code obfuscation, system hiding, and self-destruction design. In case of failure\nto fully decrypt, It is further found that this backdoor needs the check code bound to the host to\nrun normally. Then the researchers cracked the check code and successfully ran the backdoor.\nJudging from some behavioral functions, this is a top-tier APT backdoor, but further\ninvestigation requires the attacker's asymmetric encrypted private key to activate the remote\ncontrol function. Based on the most common string 'Bvp' in the sample and the numerical\nvalue 0x47 used in the encryption algorithm, the team named the corresponding malicious\ncode 'Bvp47' at the time.\nInformation\nMalpedia Last change to this tool card: 27 December 2022\nDownload this tool card in JSON format\nAll groups using tool Bvp47\nChanged Name Country Observed\nAPT groups\n Equation Group 2001-Aug 2016\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d0d15a43-82da-4a66-8a73-10380794926b\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d0d15a43-82da-4a66-8a73-10380794926b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d0d15a43-82da-4a66-8a73-10380794926b\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d0d15a43-82da-4a66-8a73-10380794926b"
	],
	"report_names": [
		"listgroups.cgi?u=d0d15a43-82da-4a66-8a73-10380794926b"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434359,
	"ts_updated_at": 1775791785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3620a7a67692328b4420d1ebd55e3a8026faadec.pdf",
		"text": "https://archive.orkl.eu/3620a7a67692328b4420d1ebd55e3a8026faadec.txt",
		"img": "https://archive.orkl.eu/3620a7a67692328b4420d1ebd55e3a8026faadec.jpg"
	}
}