{
	"id": "727a73a7-d4eb-4337-b824-38562153f1c6",
	"created_at": "2026-04-06T00:22:29.276639Z",
	"updated_at": "2026-04-10T13:11:47.776515Z",
	"deleted_at": null,
	"sha1_hash": "4f5cf9244ad8e517c8983c4ff166396814f2d6c6",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46774,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 15:09:35 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool UpDocX\r\n Tool: UpDocX\r\nNames UpDocX\r\nCategory Malware\r\nType Backdoor, Keylogger, Exfiltration\r\nDescription\r\nUpDocX was written in VB.NET and compiled without any attempts at obfuscating the source code. There is\r\nalso no attempt in obfuscating C2 network traffic. It has limited functionality and appears to be a simple\r\nbackdoor used solely for keylogging and uploading documents to designated C2 servers. The attackers have,\r\nhowever, put some effort into avoiding detection and hindering investigations. UpDocX has a list of extensive\r\nclean-up functions responsible for eliminating evidence of compromise, which indicates a degree of caution\r\noften not observed in targeted attacks.\r\nInformation \u003chttps://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/UnFIN4ished_Business_pwd.pdf\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:UpDocX\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool UpDocX\r\nChanged Name Country Observed\r\nAPT groups\r\n  FIN4, Wolf Spider 2013  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ca704d4a-0ff0-449e-ac40-95d8e22cd8d5\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ca704d4a-0ff0-449e-ac40-95d8e22cd8d5\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ca704d4a-0ff0-449e-ac40-95d8e22cd8d5"
	],
	"report_names": [
		"listgroups.cgi?u=ca704d4a-0ff0-449e-ac40-95d8e22cd8d5"
	],
	"threat_actors": [
		{
			"id": "2799bc47-e502-49f0-a289-87e3cc95ecc6",
			"created_at": "2022-10-25T15:50:23.706367Z",
			"updated_at": "2026-04-10T02:00:05.34551Z",
			"deleted_at": null,
			"main_name": "FIN4",
			"aliases": [
				"FIN4"
			],
			"source_name": "MITRE:FIN4",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5f6ade4c-e2db-46f0-b1b4-529ea52d040b",
			"created_at": "2022-10-25T16:07:23.611546Z",
			"updated_at": "2026-04-10T02:00:04.687074Z",
			"deleted_at": null,
			"main_name": "FIN4",
			"aliases": [
				"FIN4",
				"G0085",
				"Wolf Spider"
			],
			"source_name": "ETDA:FIN4",
			"tools": [
				"UpDocX"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3571da12-0890-45e7-85d3-04fac7070b52",
			"created_at": "2023-01-06T13:46:38.414772Z",
			"updated_at": "2026-04-10T02:00:02.964831Z",
			"deleted_at": null,
			"main_name": "WOLF SPIDER",
			"aliases": [
				"FIN4",
				"G0085"
			],
			"source_name": "MISPGALAXY:WOLF SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434949,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f5cf9244ad8e517c8983c4ff166396814f2d6c6.pdf",
		"text": "https://archive.orkl.eu/4f5cf9244ad8e517c8983c4ff166396814f2d6c6.txt",
		"img": "https://archive.orkl.eu/4f5cf9244ad8e517c8983c4ff166396814f2d6c6.jpg"
	}
}