{
	"id": "dd3cd600-7280-480f-8192-50adb846f3d4",
	"created_at": "2026-04-06T00:18:35.812144Z",
	"updated_at": "2026-04-10T03:36:19.000315Z",
	"deleted_at": null,
	"sha1_hash": "388cad34a65f5da166cab8b144ba178bf343ac60",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47768,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:01:28 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ESRDE\n Tool: ESRDE\nNames ESRDE\nCategory Malware\nType Backdoor\nDescription\n(Sygnia) A tool with similar capabilities to that of ‘VELVETSTING’, but with minor\ndifferences, such as using bash instead of ‘csh’. The tool was not running on the device at the\ntime of investigation.\nInformation Last change to this tool card: 19 June 2024\nDownload this tool card in JSON format\nAll groups using tool ESRDE\nChanged Name Country Observed\nAPT groups\n Velvet Ant 2023-Jul 2024\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=539937b8-3a61-4f0a-be81-d9176222d61c\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=539937b8-3a61-4f0a-be81-d9176222d61c\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=539937b8-3a61-4f0a-be81-d9176222d61c"
	],
	"report_names": [
		"listgroups.cgi?u=539937b8-3a61-4f0a-be81-d9176222d61c"
	],
	"threat_actors": [
		{
			"id": "822063cf-d9bd-499a-9715-70d95881378f",
			"created_at": "2025-04-23T02:00:55.295207Z",
			"updated_at": "2026-04-10T02:00:05.254566Z",
			"deleted_at": null,
			"main_name": "Velvet Ant",
			"aliases": [
				"Velvet Ant"
			],
			"source_name": "MITRE:Velvet Ant",
			"tools": [
				"PlugX",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0c0d8f44-d131-41c8-a693-efb687e777f1",
			"created_at": "2024-06-20T02:02:10.211899Z",
			"updated_at": "2026-04-10T02:00:04.962606Z",
			"deleted_at": null,
			"main_name": "Velvet Ant",
			"aliases": [],
			"source_name": "ETDA:Velvet Ant",
			"tools": [
				"Agent.dhwf",
				"Destroy RAT",
				"DestroyRAT",
				"ESRDE",
				"Kaba",
				"Korplug",
				"POISONPLUG.SHADOW",
				"PlugX",
				"RedDelta",
				"SAMRID",
				"ShadowPad Winnti",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"VELVETSTING",
				"VELVETTAP",
				"XShellGhost",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434715,
	"ts_updated_at": 1775792179,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/388cad34a65f5da166cab8b144ba178bf343ac60.pdf",
		"text": "https://archive.orkl.eu/388cad34a65f5da166cab8b144ba178bf343ac60.txt",
		"img": "https://archive.orkl.eu/388cad34a65f5da166cab8b144ba178bf343ac60.jpg"
	}
}