{
	"id": "b82796e5-dcb5-4261-8432-eace97ef9181",
	"created_at": "2026-04-06T00:21:43.765131Z",
	"updated_at": "2026-04-10T03:27:16.22279Z",
	"deleted_at": null,
	"sha1_hash": "54a4147b836a3830c513e1dadb2a824c9c0059aa",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51135,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:10:24 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool OwlProxy\n Tool: OwlProxy\nNames OwlProxy\nCategory Malware\nType Tunneling\nDescription\n(ESET) Across the victims and malware we analyzed here, an interesting piece of malware\nstood out and needed a deeper look. From an initial, quick analysis, it was recognized as\nOwlProxy; an HTTP proxy server. A complete analysis can be found in this Cycraft post. This\nmodule also comes in two variants – 32- and 64-bit versions – and as a result it contains a\nfunction to test the Windows version as in the Gelsemium components.\nInformation\nMalpedia Last change to this tool card: 28 December 2021\nDownload this tool card in JSON format\nAll groups using tool OwlProxy\nChanged Name Country Observed\nAPT groups\n Gelsemium 2014-2023\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=47f36fe6-e027-4622-9958-5deb84631ea4\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=47f36fe6-e027-4622-9958-5deb84631ea4\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=47f36fe6-e027-4622-9958-5deb84631ea4\r\nPage 2 of 2\n\nAPT groups  Gelsemium 2014-2023 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=47f36fe6-e027-4622-9958-5deb84631ea4"
	],
	"report_names": [
		"listgroups.cgi?u=47f36fe6-e027-4622-9958-5deb84631ea4"
	],
	"threat_actors": [
		{
			"id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424",
			"created_at": "2023-01-06T13:46:39.290101Z",
			"updated_at": "2026-04-10T02:00:03.275981Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"狼毒草"
			],
			"source_name": "MISPGALAXY:Gelsemium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77874718-7ad2-4d15-9831-10935ab9bcbe",
			"created_at": "2022-10-25T15:50:23.619911Z",
			"updated_at": "2026-04-10T02:00:05.349462Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Gelsemium"
			],
			"source_name": "MITRE:Gelsemium",
			"tools": [
				"Gelsemium",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b5550c4e-943a-45ea-bf67-875b989ee4c4",
			"created_at": "2022-10-25T16:07:23.675771Z",
			"updated_at": "2026-04-10T02:00:04.707782Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Operation NightScout",
				"Operation TooHash"
			],
			"source_name": "ETDA:Gelsemium",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"Chrommme",
				"Cobalt Strike",
				"CobaltStrike",
				"FireWood",
				"Gelsemine",
				"Gelsenicine",
				"Gelsevirine",
				"JuicyPotato",
				"OwlProxy",
				"Owowa",
				"SAMRID",
				"SessionManager",
				"SinoChopper",
				"SpoolFool",
				"SweetPotato",
				"WolfsBane",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434903,
	"ts_updated_at": 1775791636,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/54a4147b836a3830c513e1dadb2a824c9c0059aa.pdf",
		"text": "https://archive.orkl.eu/54a4147b836a3830c513e1dadb2a824c9c0059aa.txt",
		"img": "https://archive.orkl.eu/54a4147b836a3830c513e1dadb2a824c9c0059aa.jpg"
	}
}