{ "id": "34d9baf5-d241-441e-bf3c-17d70ff38f1e", "created_at": "2026-04-06T00:22:02.956632Z", "updated_at": "2026-04-10T03:29:54.674204Z", "deleted_at": null, "sha1_hash": "5898936cedd613636ebce37e98f47eeafb949cde", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49966, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:16:41 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool VIRTUALGATE\r\n Tool: VIRTUALGATE\r\nNames VIRTUALGATE\r\nCategory Malware\r\nType Dropper\r\nDescription\r\n(Mandiant) The Windows guest virtual machines which were hosted by the infected\r\nhypervisors also contained a unique malware sample located at C:\\Windows\\Temp\\avp.exe.\r\nThis malware, which we refer to as VIRTUALGATE, is a utility program written in C that is\r\ncomprised of two (2) parts, a dropper, and the payload. The memory only dropper\r\ndeobfuscates a second stage DLL payload that uses VMware's virtual machine communication\r\ninterface (VMCI) sockets to run commands on a guest virtual machine from a hypervisor host,\r\nor between guest virtual machines on the same host.\r\nInformation\r\n\u003chttps://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.virtualgate\u003e\r\nLast change to this tool card: 27 August 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool VIRTUALGATE\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC3886 2021-Early 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bab2da7c-d096-486f-acb5-a7bae7d53afc\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bab2da7c-d096-486f-acb5-a7bae7d53afc\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bab2da7c-d096-486f-acb5-a7bae7d53afc\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bab2da7c-d096-486f-acb5-a7bae7d53afc" ], "report_names": [ "listgroups.cgi?u=bab2da7c-d096-486f-acb5-a7bae7d53afc" ], "threat_actors": [ { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434922, "ts_updated_at": 1775791794, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5898936cedd613636ebce37e98f47eeafb949cde.pdf", "text": "https://archive.orkl.eu/5898936cedd613636ebce37e98f47eeafb949cde.txt", "img": "https://archive.orkl.eu/5898936cedd613636ebce37e98f47eeafb949cde.jpg" } }