{
	"id": "68ae083a-10aa-4393-8f72-99bb1f8a89b8",
	"created_at": "2026-04-06T00:11:50.111571Z",
	"updated_at": "2026-04-10T03:29:01.745162Z",
	"deleted_at": null,
	"sha1_hash": "432e972ffa09f9beec4850ea1a45fe594b8b61c9",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52388,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:12:35 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MSUpdater\r\n Tool: MSUpdater\r\nNames MSUpdater\r\nCategory Malware\r\nType Dropper, Backdoor, Info stealer, Exfiltration\r\nDescription\r\n(ZScaler) The malware dropped and launched from the PDF exploit has been seen to be\r\nvirtual machine (VM) aware in order to prevent analysis within a sandbox. The Trojan\r\nfunctionality is decrypted at run-time, and includes expected functionality, such as,\r\ndownloading, uploading, and executing files driven by commands from the C\u0026C.\r\nCommunication with the C\u0026C is over HTTP but is encoded to evade detection. The\r\nTrojan file name (e.g., 'msupdate.exe') and the HTTP paths used in the C\u0026C (e.g.,\r\n'/microsoftupdate/getupdate/default.aspx') are used to stay under the radar by appearing to\r\nbe related to Microsoft Windows Update - hence the name given to this Trojan.\r\nInformation\r\n\u003chttps://www.zscaler.com/blogs/research/msupdater-trojan-and-link-targeted-attacks\u003e\r\n\u003chttps://cybersecurity.att.com/blogs/labs-research/msupdater-trojan-found-using-cve-2012-0158-space-and-missile-defense-conference\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:msupdater\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool MSUpdater\r\nChanged Name Country Observed\r\nAPT groups\r\n  Putter Panda, APT 2 2007  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e288f4fe-9d9f-4f36-be19-6895ad1ada0c\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e288f4fe-9d9f-4f36-be19-6895ad1ada0c\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e288f4fe-9d9f-4f36-be19-6895ad1ada0c\r\nPage 2 of 2\n\nAPT groups Putter Panda, APT 2 2007 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e288f4fe-9d9f-4f36-be19-6895ad1ada0c"
	],
	"report_names": [
		"listgroups.cgi?u=e288f4fe-9d9f-4f36-be19-6895ad1ada0c"
	],
	"threat_actors": [
		{
			"id": "abd17060-62f6-4743-95e8-3f23c82cc229",
			"created_at": "2022-10-25T15:50:23.428772Z",
			"updated_at": "2026-04-10T02:00:05.365894Z",
			"deleted_at": null,
			"main_name": "Putter Panda",
			"aliases": [
				"Putter Panda",
				"APT2",
				"MSUpdater"
			],
			"source_name": "MITRE:Putter Panda",
			"tools": [
				"pngdowner",
				"3PARA RAT",
				"4H RAT",
				"httpclient"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "468b7acd-895c-4c93-b572-b42f4035b4d4",
			"created_at": "2023-01-06T13:46:38.265636Z",
			"updated_at": "2026-04-10T02:00:02.902436Z",
			"deleted_at": null,
			"main_name": "APT2",
			"aliases": [
				"MSUpdater",
				"4HCrew",
				"SearchFire",
				"TG-6952",
				"G0024",
				"PLA Unit 61486",
				"PUTTER PANDA"
			],
			"source_name": "MISPGALAXY:APT2",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4b066585-3591-4ddd-b3cc-f4e19e0e00ef",
			"created_at": "2022-10-25T16:07:24.086915Z",
			"updated_at": "2026-04-10T02:00:04.862463Z",
			"deleted_at": null,
			"main_name": "Putter Panda",
			"aliases": [
				"4HCrew",
				"APT 2",
				"G0024",
				"Group 36",
				"Putter Panda",
				"SearchFire",
				"TG-6952"
			],
			"source_name": "ETDA:Putter Panda",
			"tools": [
				"3PARA RAT",
				"4H RAT",
				"4h_rat",
				"MSUpdater",
				"httpclient",
				"pngdowner"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434310,
	"ts_updated_at": 1775791741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/432e972ffa09f9beec4850ea1a45fe594b8b61c9.pdf",
		"text": "https://archive.orkl.eu/432e972ffa09f9beec4850ea1a45fe594b8b61c9.txt",
		"img": "https://archive.orkl.eu/432e972ffa09f9beec4850ea1a45fe594b8b61c9.jpg"
	}
}