{ "id": "a069b2d4-47c7-481a-ba78-675f47a42e79", "created_at": "2026-04-06T00:19:36.980442Z", "updated_at": "2026-04-10T03:31:32.843837Z", "deleted_at": null, "sha1_hash": "4890c5edae4c96308a7375e095a802f3c8578057", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51638, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:16:56 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Caterpillar\r\n Tool: Caterpillar\r\nNames Caterpillar\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Downloader\r\nDescription\r\n(ClearSky) Acting as a focal point, the group usually attacks webservers via a custom\r\nWebShell, namely Caterpillar – a variant of the open source WebShell ‘ASPXSpy’. By using\r\nWebShell, the attackers leave their fingerprint on the web server and the internal network,\r\nmove laterally, and deploy additional tools. On each compromised network the attacker\r\ninstalled one or more WebShell, supposedly to gain persistence and diversify the use of similar\r\ntools. The attackers use the WebShell to communicate with their C\u0026C server for running\r\ncommands and exfiltrating sensitive information. Connection to the WebShell is made using\r\nNordVPN or ExpressVPN services.\r\nInformation \u003chttps://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf\u003e\r\nLast change to this tool card: 19 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Caterpillar\r\nChanged Name Country Observed\r\nAPT groups\r\n  Volatile Cedar 2012-Early 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=608a396b-d841-425f-955c-4d1ee77d65e5\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=608a396b-d841-425f-955c-4d1ee77d65e5\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=608a396b-d841-425f-955c-4d1ee77d65e5" ], "report_names": [ "listgroups.cgi?u=608a396b-d841-425f-955c-4d1ee77d65e5" ], "threat_actors": [ { "id": "bc5c22a8-29eb-4a87-acd6-4817060e80f2", "created_at": "2022-10-25T15:50:23.658256Z", "updated_at": "2026-04-10T02:00:05.38013Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Volatile Cedar", "Lebanese Cedar" ], "source_name": "MITRE:Volatile Cedar", "tools": [ "Caterpillar WebShell" ], "source_id": "MITRE", "reports": null }, { "id": "17b152bc-6f7e-463c-8b4c-a4844caea6df", "created_at": "2023-01-06T13:46:38.498795Z", "updated_at": "2026-04-10T02:00:03.000373Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Lebanese Cedar", "DeftTorero" ], "source_name": "MISPGALAXY:Volatile Cedar", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e7c75c6-097f-4d80-8c98-73485fe2a729", "created_at": "2022-10-25T16:07:24.386715Z", "updated_at": "2026-04-10T02:00:04.970172Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Amethyst Rain", "Dancing Salome", "DeftTorero", "G0123", "VolcanicTimber" ], "source_name": "ETDA:Volatile Cedar", "tools": [ "ASPXSpy", "ASPXTool", "Adminer", "DirBuster", "GoBuster", "JuicyPotato", "RottenPotato", "SharPyShell" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434776, "ts_updated_at": 1775791892, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4890c5edae4c96308a7375e095a802f3c8578057.pdf", "text": "https://archive.orkl.eu/4890c5edae4c96308a7375e095a802f3c8578057.txt", "img": "https://archive.orkl.eu/4890c5edae4c96308a7375e095a802f3c8578057.jpg" } }