{ "id": "f76da606-080e-4d87-a119-92202e82245d", "created_at": "2026-04-06T00:13:02.884195Z", "updated_at": "2026-04-10T13:12:24.546846Z", "deleted_at": null, "sha1_hash": "3e16dd72972d1c12d745b041fae5b0da685c3215", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44035, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:08:26 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MINEDOOR\r\n Tool: MINEDOOR\r\nNames MINEDOOR\r\nCategory Malware\r\nType Dropper\r\nDescription\r\n(FireEye) In January 2020, Mandiant experts identified email campaigns that used\r\nMINEDOOR to deliver the MINEBRIDGE backdoor. The limited overlap in TTPs between\r\nthese campaigns and contemporaneous FIN11 campaigns may suggest MINEDOOR is not\r\nexclusive to FIN11.\r\nLast change to this tool card: 20 October 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool MINEDOOR\r\nChanged Name Country Observed\r\nAPT groups\r\n  FIN11 [Unknown] 2016-Mar 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ab9a9fd2-dc5d-4123-87e0-a8ccc21e928f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ab9a9fd2-dc5d-4123-87e0-a8ccc21e928f\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ab9a9fd2-dc5d-4123-87e0-a8ccc21e928f" ], "report_names": [ "listgroups.cgi?u=ab9a9fd2-dc5d-4123-87e0-a8ccc21e928f" ], "threat_actors": [ { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434382, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e16dd72972d1c12d745b041fae5b0da685c3215.pdf", "text": "https://archive.orkl.eu/3e16dd72972d1c12d745b041fae5b0da685c3215.txt", "img": "https://archive.orkl.eu/3e16dd72972d1c12d745b041fae5b0da685c3215.jpg" } }