{
	"id": "c389a199-81b9-4c4c-9a38-37035cc6ff43",
	"created_at": "2026-04-06T00:22:15.683693Z",
	"updated_at": "2026-04-10T03:28:12.38918Z",
	"deleted_at": null,
	"sha1_hash": "3e6c492fca1bdf39f326a91a675173ded8eea695",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48878,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:33:10 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MirrorStealer\n Tool: MirrorStealer\nNames MirrorStealer\nCategory Malware\nType Credential stealer\nDescription\n(ESET) MirrorStealer, internally named 31558_n.dll by MirrorFace, is a credential stealer. To\nthe best of our knowledge, this malware has not been publicly described. In general,\nMirrorStealer steals credentials from various applications such as browsers and email clients.\nInterestingly, one of the targeted applications is Becky!, an email client that is currently only\navailable in Japan. All the stolen credentials are stored in %TEMP%\\31558.txt and since\nMirrorStealer doesn’t have the capability to exfiltrate the stolen data, it depends on other\nmalware to do it.\nInformation\nLast change to this tool card: 27 December 2022\nDownload this tool card in JSON format\nAll groups using tool MirrorStealer\nChanged Name Country Observed\nAPT groups\n Operation LiberalFace, MirrorFace 2019-Aug 2024\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5826f248-287f-4b28-a5fe-03a46ee71957\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5826f248-287f-4b28-a5fe-03a46ee71957\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5826f248-287f-4b28-a5fe-03a46ee71957"
	],
	"report_names": [
		"listgroups.cgi?u=5826f248-287f-4b28-a5fe-03a46ee71957"
	],
	"threat_actors": [
		{
			"id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d",
			"created_at": "2023-11-17T02:00:07.588367Z",
			"updated_at": "2026-04-10T02:00:03.453612Z",
			"deleted_at": null,
			"main_name": "MirrorFace",
			"aliases": [
				"Earth Kasha"
			],
			"source_name": "MISPGALAXY:MirrorFace",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae",
			"created_at": "2022-12-27T17:02:23.458269Z",
			"updated_at": "2026-04-10T02:00:04.813897Z",
			"deleted_at": null,
			"main_name": "Operation LiberalFace",
			"aliases": [
				"MirrorFace",
				"Operation AkaiRyū",
				"Operation LiberalFace"
			],
			"source_name": "ETDA:Operation LiberalFace",
			"tools": [
				"Anel",
				"AsyncRAT",
				"LODEINFO",
				"MirrorStealer",
				"UpperCut",
				"lena"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ba9fa308-a29a-4928-9c06-73aafec7624c",
			"created_at": "2024-05-01T02:03:07.981061Z",
			"updated_at": "2026-04-10T02:00:03.750803Z",
			"deleted_at": null,
			"main_name": "BRONZE RIVERSIDE",
			"aliases": [
				"APT10 ",
				"CTG-5938 ",
				"CVNX ",
				"Hogfish ",
				"MenuPass ",
				"MirrorFace ",
				"POTASSIUM ",
				"Purple Typhoon ",
				"Red Apollo ",
				"Stone Panda "
			],
			"source_name": "Secureworks:BRONZE RIVERSIDE",
			"tools": [
				"ANEL",
				"AsyncRAT",
				"ChChes",
				"Cobalt Strike",
				"HiddenFace",
				"LODEINFO",
				"PlugX",
				"PoisonIvy",
				"QuasarRAT",
				"QuasarRAT Loader",
				"RedLeaves"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434935,
	"ts_updated_at": 1775791692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e6c492fca1bdf39f326a91a675173ded8eea695.pdf",
		"text": "https://archive.orkl.eu/3e6c492fca1bdf39f326a91a675173ded8eea695.txt",
		"img": "https://archive.orkl.eu/3e6c492fca1bdf39f326a91a675173ded8eea695.jpg"
	}
}