{ "id": "3218a3c1-50fe-4325-93ec-4a9a333795c9", "created_at": "2026-04-06T00:08:03.112643Z", "updated_at": "2026-04-10T13:11:28.340008Z", "deleted_at": null, "sha1_hash": "382c59377c8f05151c62db5664e54f11cc2e8293", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48449, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 15:00:38 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool VIRTUALPITA\r\n Tool: VIRTUALPITA\r\nNames VIRTUALPITA\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Mandiant) VIRTUALPITA is a 64-bit passive backdoor that creates a listener on a hardcoded\r\nport number on a VMware ESXi server. The backdoor often utilizes VMware service names\r\nand ports to masquerade as a legitimate service. It supports arbitrary command execution, file\r\nupload and download, and the ability to start and stop vmsyslogd. During arbitrary command\r\nexecution, the malware also sets the environmental variable HISTFILE to 0 to further hide\r\nactivity that occurred on the machine. Variants of this malware were found to listen on a\r\nVirtual Machine Communication Interface (VMCI) and log this activity to the file sysclog.\r\nInformation\r\n\u003chttps://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence\u003e\r\nLast change to this tool card: 26 August 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool VIRTUALPITA\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC3886 2021-Early 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3eb047f-01f5-47a2-bda0-fd6d7d32146d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3eb047f-01f5-47a2-bda0-fd6d7d32146d\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3eb047f-01f5-47a2-bda0-fd6d7d32146d" ], "report_names": [ "listgroups.cgi?u=c3eb047f-01f5-47a2-bda0-fd6d7d32146d" ], "threat_actors": [ { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434083, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/382c59377c8f05151c62db5664e54f11cc2e8293.pdf", "text": "https://archive.orkl.eu/382c59377c8f05151c62db5664e54f11cc2e8293.txt", "img": "https://archive.orkl.eu/382c59377c8f05151c62db5664e54f11cc2e8293.jpg" } }