{
	"id": "e3da1058-a2f4-4db3-9de9-dee9eb20b3f2",
	"created_at": "2026-04-06T00:14:09.000614Z",
	"updated_at": "2026-04-10T03:29:06.899313Z",
	"deleted_at": null,
	"sha1_hash": "38fba60b43592d4dac7538e44cfa40c015702ceb",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44816,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:36:40 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PlugY\n Tool: PlugY\nNames PlugY\nCategory Malware\nType Backdoor, Info stealer\nDescription\n(Kaspersky) Having analyzed the behavior of the newly found CloudSorcerer samples, we\nfound that the attackers used it to download a previously unknown implant. This implant\nconnects to the C2 server by one of three methods:\n• TCP protocol\n• UDP protocol\n• Named pipes\nThe set of commands this implant can handle is quite extensive, and implemented commands\nrange from manipulating files and executing shell commands to logging keystrokes and\nmonitoring the screen or the clipboard.\nInformation Last change to this tool card: 27 August 2024\nDownload this tool card in JSON format\nAll groups using tool PlugY\nChanged Name Country Observed\nAPT groups\n CloudSorcerer [Unknown] 2024-Jul 2024\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8ab930f9-1f09-41ce-912f-f95221973e88\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8ab930f9-1f09-41ce-912f-f95221973e88\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8ab930f9-1f09-41ce-912f-f95221973e88\r\nPage 2 of 2\n\nAPT groups CloudSorcerer  [Unknown] 2024-Jul 2024\n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8ab930f9-1f09-41ce-912f-f95221973e88"
	],
	"report_names": [
		"listgroups.cgi?u=8ab930f9-1f09-41ce-912f-f95221973e88"
	],
	"threat_actors": [
		{
			"id": "5d1a4f32-cc52-4ee8-acab-993cfa2ef5ad",
			"created_at": "2024-07-09T02:00:04.425917Z",
			"updated_at": "2026-04-10T02:00:03.67013Z",
			"deleted_at": null,
			"main_name": "CloudSorcerer",
			"aliases": [],
			"source_name": "MISPGALAXY:CloudSorcerer",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b1db2dce-5a2b-4fc4-85c2-d184acc956a0",
			"created_at": "2024-08-28T02:02:09.272572Z",
			"updated_at": "2026-04-10T02:00:04.622449Z",
			"deleted_at": null,
			"main_name": "CloudSorcerer",
			"aliases": [
				"Operation EastWind"
			],
			"source_name": "ETDA:CloudSorcerer",
			"tools": [
				"GrewApacha",
				"PlugY",
				"The CloudSorcerer"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434449,
	"ts_updated_at": 1775791746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38fba60b43592d4dac7538e44cfa40c015702ceb.pdf",
		"text": "https://archive.orkl.eu/38fba60b43592d4dac7538e44cfa40c015702ceb.txt",
		"img": "https://archive.orkl.eu/38fba60b43592d4dac7538e44cfa40c015702ceb.jpg"
	}
}