{
	"id": "14345782-ae87-46af-be19-d3562a9473f2",
	"created_at": "2026-04-06T00:15:34.315887Z",
	"updated_at": "2026-04-10T13:12:20.872331Z",
	"deleted_at": null,
	"sha1_hash": "510006f66458393307b5670721851a4174f8d48e",
	"title": "Net Crawler - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57431,
	"plain_text": "Net Crawler - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:11:22 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Net Crawler\n Tool: Net Crawler\nNames\nNet Crawler\nNetC\nCategory Malware\nType Reconnaissance, Worm, Credential stealer, Info stealer\nDescription\n(Cylance) NetC is a tool developed in C# and has been observed being obfuscated with\nSmartAssembly, which is a tool used by legitimate businesses as well as .NET malware\nauthors. Both known samples of NetC were compiled in April and May of 2013. It has\nthe capability to run commands on all computers in the domain with credentials\nextracted from the initially compromised host. This capability allows it to operate as a\nutility for pivoting once a computer on the network has already been compromised. It\nalso has the functionality to spread to other computers in the network, and then call itself\nagain, worming throughout the network, returning harvested credentials and command\nresults.\nInformation MITRE ATT\u0026CK Malpedia Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool Net Crawler\nChanged Name Country Observed\nAPT groups\n Cutting Kitten, TG-2889 2012-Mar 2016\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ebcc4be9-626e-436e-a182-21fbbc1650ea\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ebcc4be9-626e-436e-a182-21fbbc1650ea\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ebcc4be9-626e-436e-a182-21fbbc1650ea\r\nPage 2 of 2\n\nChanged APT groups Name Country   Observed \nCutting Kitten, TG-2889  2012-Mar 2016\n  Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ebcc4be9-626e-436e-a182-21fbbc1650ea"
	],
	"report_names": [
		"listgroups.cgi?u=ebcc4be9-626e-436e-a182-21fbbc1650ea"
	],
	"threat_actors": [
		{
			"id": "49f1ada0-181f-4e89-a449-e6bc13c8c6b1",
			"created_at": "2022-10-25T15:50:23.561511Z",
			"updated_at": "2026-04-10T02:00:05.382592Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"Threat Group 2889",
				"TG-2889"
			],
			"source_name": "MITRE:Cleaver",
			"tools": [
				"Net Crawler",
				"PsExec",
				"TinyZBot",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9663cdbf-646e-4579-881a-a8ebc3aabf63",
			"created_at": "2023-01-06T13:46:38.360862Z",
			"updated_at": "2026-04-10T02:00:02.942852Z",
			"deleted_at": null,
			"main_name": "Cutting Kitten",
			"aliases": [
				"ITsecTeam"
			],
			"source_name": "MISPGALAXY:Cutting Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "217c588a-5896-4335-b9ec-a516ae2f9a7e",
			"created_at": "2022-10-25T16:07:23.513775Z",
			"updated_at": "2026-04-10T02:00:04.635263Z",
			"deleted_at": null,
			"main_name": "Cutting Kitten",
			"aliases": [
				"Cutting Kitten",
				"G0003",
				"Operation Cleaver",
				"TG-2889"
			],
			"source_name": "ETDA:Cutting Kitten",
			"tools": [
				"CsExt",
				"DistTrack",
				"IvizTech",
				"Jasus",
				"KAgent",
				"Logger Module",
				"MANGOPUNCH",
				"MPK",
				"MPKBot",
				"Net Crawler",
				"NetC",
				"PVZ-In",
				"PVZ-Out",
				"Pupy",
				"PupyRAT",
				"PvzOut",
				"Shamoon",
				"SynFlooder",
				"SysKit",
				"TinyZBot",
				"WndTest",
				"pupy",
				"zhCat",
				"zhMimikatz"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434534,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/510006f66458393307b5670721851a4174f8d48e.pdf",
		"text": "https://archive.orkl.eu/510006f66458393307b5670721851a4174f8d48e.txt",
		"img": "https://archive.orkl.eu/510006f66458393307b5670721851a4174f8d48e.jpg"
	}
}