{ "id": "ed67c101-a34b-49c5-9ef7-bdef9aacf51b", "created_at": "2026-04-06T00:07:49.701085Z", "updated_at": "2026-04-10T03:29:54.659901Z", "deleted_at": null, "sha1_hash": "411256ef0ac51bc298f1f70d6d613a3c11e4895d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49543, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 12:28:37 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BOLDMOVE\r\n Tool: BOLDMOVE\r\nNames BOLDMOVE\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Mandiant) With BOLDMOVE, the attackers not only developed an exploit, but\r\nmalware that shows an in-depth understanding of systems, services, logging, and\r\nundocumented proprietary formats. Malware running on an internet-connected device\r\ncan enable lateral movement further into a network and enable command and control\r\n(C2) by tunneling commands in and data out of a network.\r\nInformation \u003chttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\u003e\r\nMITRE ATT\u0026CK \u003chttps://attack.mitre.org/software/S1184\u003e\r\nMalpedia\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/elf.boldmove\u003e\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.boldmove\u003e\r\nLast change to this tool card: 28 June 2025\r\nDownload this tool card in JSON format\r\nAll groups using tool BOLDMOVE\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC3886 2021-Early 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e25106ad-3057-4086-a266-034b961892c3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e25106ad-3057-4086-a266-034b961892c3\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e25106ad-3057-4086-a266-034b961892c3" ], "report_names": [ "listgroups.cgi?u=e25106ad-3057-4086-a266-034b961892c3" ], "threat_actors": [ { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434069, "ts_updated_at": 1775791794, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/411256ef0ac51bc298f1f70d6d613a3c11e4895d.pdf", "text": "https://archive.orkl.eu/411256ef0ac51bc298f1f70d6d613a3c11e4895d.txt", "img": "https://archive.orkl.eu/411256ef0ac51bc298f1f70d6d613a3c11e4895d.jpg" } }