{
	"id": "aff7ea72-2310-4c28-b77d-9573f302e59f",
	"created_at": "2026-04-06T00:10:37.300131Z",
	"updated_at": "2026-04-10T13:11:57.6268Z",
	"deleted_at": null,
	"sha1_hash": "372e3eac73702310fd1024ab72f5681097fbc5d8",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52090,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:20:20 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Gh0stnet\n Tool: Gh0stnet\nNames\nGh0stnet\nGhostnet\nRemosh\nCategory Malware\nType Backdoor, Info stealer, Exfiltration\nDescription\n(UCAM) Our next observation concerns the malware payloads used. These were packaged as\neither .doc or .pdf files that installed rootkits on the machines of monks who clicked on them.\nDuring our initial network monitoring exercise, we observed sensitive files being transferred\nout of the Office of His Holiness the Dalai Lama (OHHDL) using a modified HTTP protocol:\nthe malware picked up files from local disks and sent them to three servers which, according to\nAPNIC, were in China’s Sichuan province, using a custom protocol based on HTTP. The\nmalware uses HTTP GET and HTTP POST messages to transfer files out and also appears to\nverify successful transmission. Sichuan, by the way, is the location of the Chinese intelligence\nunit specifically tasked with monitoring the OHHDL.\nInformation\nMalpedia Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool Gh0stnet\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1ab15fc8-f2d0-4796-b342-2eb5f4527f86\nPage 1 of 2\n\nAPT groups\r\n  GhostNet, Snooping Dragon 2009-2010\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1ab15fc8-f2d0-4796-b342-2eb5f4527f86\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1ab15fc8-f2d0-4796-b342-2eb5f4527f86\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1ab15fc8-f2d0-4796-b342-2eb5f4527f86"
	],
	"report_names": [
		"listgroups.cgi?u=1ab15fc8-f2d0-4796-b342-2eb5f4527f86"
	],
	"threat_actors": [
		{
			"id": "3cc6c262-df23-4075-a93f-b496e8908eb2",
			"created_at": "2022-10-25T16:07:23.682239Z",
			"updated_at": "2026-04-10T02:00:04.708878Z",
			"deleted_at": null,
			"main_name": "GhostNet",
			"aliases": [
				"GhostNet",
				"Snooping Dragon"
			],
			"source_name": "ETDA:GhostNet",
			"tools": [
				"AngryRebel",
				"Farfli",
				"Gh0st RAT",
				"Gh0stnet",
				"Ghost RAT",
				"Ghostnet",
				"Moudour",
				"Mydoor",
				"PCRat",
				"Remosh",
				"TOM-Skype"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e91dae30-a513-4fb1-aace-4457466313b3",
			"created_at": "2023-01-06T13:46:38.974913Z",
			"updated_at": "2026-04-10T02:00:03.168521Z",
			"deleted_at": null,
			"main_name": "GhostNet",
			"aliases": [
				"Snooping Dragon"
			],
			"source_name": "MISPGALAXY:GhostNet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434237,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/372e3eac73702310fd1024ab72f5681097fbc5d8.pdf",
		"text": "https://archive.orkl.eu/372e3eac73702310fd1024ab72f5681097fbc5d8.txt",
		"img": "https://archive.orkl.eu/372e3eac73702310fd1024ab72f5681097fbc5d8.jpg"
	}
}