{ "id": "7d196201-0427-4347-b65c-78aace7780cb", "created_at": "2026-04-06T00:12:00.089976Z", "updated_at": "2026-04-10T03:35:53.678216Z", "deleted_at": null, "sha1_hash": "59ab67a67df8d06dbee9c3a72c3cff07fff3cbac", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50154, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:41:56 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool JripBot\n Tool: JripBot\nNames\nJripBot\nJiripbot\nCategory Malware\nType Reconnaissance, Backdoor, Credential stealer, Info stealer, Loader, Dropper\nDescription\n(Kaspersky) The malware set used by the Wild Neutron threat actor has several\ncomponent groups, including:\n• A main backdoor module that initiates the first communication with C\u0026C server\n• Several information gathering modules\n• Exploitation tools\n• SSH-based exfiltration tools\n• Intermediate loaders and droppers that decrypt and run the payloads\nAlthough customized, some of the modules seem to be heavily based on open source tools\n(e.g. the password dumper resembles the code of Mimikatz and Pass-The-Hash Toolkit)\nand commercial malware (HTTPS proxy module is practically identical to the one that is\nused by HesperBot).\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool JripBot\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=742c30fb-2172-4d2a-89db-2112e2bf6971\nPage 1 of 2\n\nAPT groups\r\n  Wild Neutron, Butterfly, Sphinx Moth [Unknown] 2013-Feb 2013  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=742c30fb-2172-4d2a-89db-2112e2bf6971\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=742c30fb-2172-4d2a-89db-2112e2bf6971\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=742c30fb-2172-4d2a-89db-2112e2bf6971" ], "report_names": [ "listgroups.cgi?u=742c30fb-2172-4d2a-89db-2112e2bf6971" ], "threat_actors": [ { "id": "92c0dae2-e255-4b90-8d8f-be88e393ab8d", "created_at": "2022-10-25T16:07:24.402328Z", "updated_at": "2026-04-10T02:00:04.97641Z", "deleted_at": null, "main_name": "Wild Neutron", "aliases": [ "Butterfly", "Morpho", "Sphinx Moth", "The Postal Group", "Wild Neutron" ], "source_name": "ETDA:Wild Neutron", "tools": [ "HesperBot", "Jiripbot", "JripBot" ], "source_id": "ETDA", "reports": null }, { "id": "e90ec9cb-9959-455d-b558-4bafef64d645", "created_at": "2022-10-25T16:07:24.222081Z", "updated_at": "2026-04-10T02:00:04.903184Z", "deleted_at": null, "main_name": "Sphinx", "aliases": [ "APT-C-15" ], "source_name": "ETDA:Sphinx", "tools": [ "AnubisSpy", "Backdoor.Oldrea", "Bladabindi", "Fertger", "Havex", "Havex RAT", "Jorik", "Oldrea", "PEACEPIPE", "njRAT", "yellowalbatross" ], "source_id": "ETDA", "reports": null }, { "id": "a653b7ac-97b5-465b-98cd-8713223b06a7", "created_at": "2023-01-06T13:46:38.592385Z", "updated_at": "2026-04-10T02:00:03.032867Z", "deleted_at": null, "main_name": "WildNeutron", "aliases": [ "Morpho", "Sphinx Moth" ], "source_name": "MISPGALAXY:WildNeutron", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434320, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/59ab67a67df8d06dbee9c3a72c3cff07fff3cbac.pdf", "text": "https://archive.orkl.eu/59ab67a67df8d06dbee9c3a72c3cff07fff3cbac.txt", "img": "https://archive.orkl.eu/59ab67a67df8d06dbee9c3a72c3cff07fff3cbac.jpg" } }