{
	"id": "e7c1fa5e-e8a9-4815-8012-83990c375563",
	"created_at": "2026-04-06T00:20:05.239189Z",
	"updated_at": "2026-04-10T03:27:16.227036Z",
	"deleted_at": null,
	"sha1_hash": "3f26497021956165ac1600d78b38aa6d16cb0058",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47823,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:25:28 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SessionManager\n Tool: SessionManager\nNames SessionManager\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) SessionManager is a unique custom backdoor that allows its operators to run\ncommands, as well as uploading files to and downloading them from the web server. This\nthreat also allows attackers to use the web server as a proxy to communicate with additional\nsystems on the network.\nInformation\nMalpedia Last change to this tool card: 13 October 2023\nDownload this tool card in JSON format\nAll groups using tool SessionManager\nChanged Name Country Observed\nAPT groups\n Gelsemium 2014-2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6bb6d05c-cfa7-40a7-91c2-92d94b3e2f38\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6bb6d05c-cfa7-40a7-91c2-92d94b3e2f38\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6bb6d05c-cfa7-40a7-91c2-92d94b3e2f38"
	],
	"report_names": [
		"listgroups.cgi?u=6bb6d05c-cfa7-40a7-91c2-92d94b3e2f38"
	],
	"threat_actors": [
		{
			"id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424",
			"created_at": "2023-01-06T13:46:39.290101Z",
			"updated_at": "2026-04-10T02:00:03.275981Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"狼毒草"
			],
			"source_name": "MISPGALAXY:Gelsemium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77874718-7ad2-4d15-9831-10935ab9bcbe",
			"created_at": "2022-10-25T15:50:23.619911Z",
			"updated_at": "2026-04-10T02:00:05.349462Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Gelsemium"
			],
			"source_name": "MITRE:Gelsemium",
			"tools": [
				"Gelsemium",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b5550c4e-943a-45ea-bf67-875b989ee4c4",
			"created_at": "2022-10-25T16:07:23.675771Z",
			"updated_at": "2026-04-10T02:00:04.707782Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Operation NightScout",
				"Operation TooHash"
			],
			"source_name": "ETDA:Gelsemium",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"Chrommme",
				"Cobalt Strike",
				"CobaltStrike",
				"FireWood",
				"Gelsemine",
				"Gelsenicine",
				"Gelsevirine",
				"JuicyPotato",
				"OwlProxy",
				"Owowa",
				"SAMRID",
				"SessionManager",
				"SinoChopper",
				"SpoolFool",
				"SweetPotato",
				"WolfsBane",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434805,
	"ts_updated_at": 1775791636,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f26497021956165ac1600d78b38aa6d16cb0058.pdf",
		"text": "https://archive.orkl.eu/3f26497021956165ac1600d78b38aa6d16cb0058.txt",
		"img": "https://archive.orkl.eu/3f26497021956165ac1600d78b38aa6d16cb0058.jpg"
	}
}