{
	"id": "61a0e18a-4322-49bb-8f53-4ec2274147e0",
	"created_at": "2026-04-06T00:19:06.126367Z",
	"updated_at": "2026-04-10T03:27:16.216099Z",
	"deleted_at": null,
	"sha1_hash": "36c357dd3da525d6aa047c349f9f4eda6f2c1a10",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47848,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:16:14 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool FireWood\n Tool: FireWood\nNames FireWood\nCategory Malware\nType Backdoor\nDescription\n(ESET) The second backdoor, which we have named FireWood, is connected to Project Wood.\nThe Windows version of the Project Wood backdoor was previously used by the Gelsemium\ngroup in Operation TooHash.\nInformation\nLast change to this tool card: 26 December 2024\nDownload this tool card in JSON format\nAll groups using tool FireWood\nChanged Name Country Observed\nAPT groups\n Gelsemium 2014-2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8d76443a-0ab4-413a-8947-6a7789f5cb4e\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8d76443a-0ab4-413a-8947-6a7789f5cb4e\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8d76443a-0ab4-413a-8947-6a7789f5cb4e"
	],
	"report_names": [
		"listgroups.cgi?u=8d76443a-0ab4-413a-8947-6a7789f5cb4e"
	],
	"threat_actors": [
		{
			"id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424",
			"created_at": "2023-01-06T13:46:39.290101Z",
			"updated_at": "2026-04-10T02:00:03.275981Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"狼毒草"
			],
			"source_name": "MISPGALAXY:Gelsemium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77874718-7ad2-4d15-9831-10935ab9bcbe",
			"created_at": "2022-10-25T15:50:23.619911Z",
			"updated_at": "2026-04-10T02:00:05.349462Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Gelsemium"
			],
			"source_name": "MITRE:Gelsemium",
			"tools": [
				"Gelsemium",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b5550c4e-943a-45ea-bf67-875b989ee4c4",
			"created_at": "2022-10-25T16:07:23.675771Z",
			"updated_at": "2026-04-10T02:00:04.707782Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Operation NightScout",
				"Operation TooHash"
			],
			"source_name": "ETDA:Gelsemium",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"Chrommme",
				"Cobalt Strike",
				"CobaltStrike",
				"FireWood",
				"Gelsemine",
				"Gelsenicine",
				"Gelsevirine",
				"JuicyPotato",
				"OwlProxy",
				"Owowa",
				"SAMRID",
				"SessionManager",
				"SinoChopper",
				"SpoolFool",
				"SweetPotato",
				"WolfsBane",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434746,
	"ts_updated_at": 1775791636,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/36c357dd3da525d6aa047c349f9f4eda6f2c1a10.pdf",
		"text": "https://archive.orkl.eu/36c357dd3da525d6aa047c349f9f4eda6f2c1a10.txt",
		"img": "https://archive.orkl.eu/36c357dd3da525d6aa047c349f9f4eda6f2c1a10.jpg"
	}
}