{
	"id": "1bd5ca35-7cec-4a10-93dc-4cdc4ba4d116",
	"created_at": "2026-04-06T00:13:30.289878Z",
	"updated_at": "2026-04-10T03:33:24.146428Z",
	"deleted_at": null,
	"sha1_hash": "5c00124e2ccc65b777ca6009f6475db73d7287cd",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48642,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:30:11 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool EtherealGh0st\r\n Tool: EtherealGh0st\r\nNames EtherealGh0st\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Bitdefender) A variant of Gh0st RAT, evolved from TranslucentGh0st. The execution of the\r\nEthrealGh0st agent starts with the decryption of c2 addresses and ports, which are base64\r\nencoded strings.\r\nAfter decoding, a SUB 6 operation is performed on the resulting buffer, and the c2 and port are\r\npassed down to establish the connection. Although the port is also encoded, it always has the\r\nsame value, “Ojo5,” which corresponds to 443 after decryption.\r\nInformation\r\n\u003chttps://blogapp.bitdefender.com/labs/content/files/2024/05/Bitdefender-Report-DeepDive-creat7721-en_EN.pdf\u003e\r\nLast change to this tool card: 18 June 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool EtherealGh0st\r\nChanged Name Country Observed\r\nAPT groups\r\n  Unfading Sea Haze 2018  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=83f74a13-33e7-432a-bbfe-291c4530d39a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=83f74a13-33e7-432a-bbfe-291c4530d39a\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=83f74a13-33e7-432a-bbfe-291c4530d39a"
	],
	"report_names": [
		"listgroups.cgi?u=83f74a13-33e7-432a-bbfe-291c4530d39a"
	],
	"threat_actors": [
		{
			"id": "f51de4ba-d3f5-4df7-ab5a-034b32584e48",
			"created_at": "2024-06-20T02:02:10.208158Z",
			"updated_at": "2026-04-10T02:00:04.960754Z",
			"deleted_at": null,
			"main_name": "Unfading Sea Haze",
			"aliases": [],
			"source_name": "ETDA:Unfading Sea Haze",
			"tools": [
				"DustyExfilTool",
				"EtherealGh0st",
				"FluffyGh0st",
				"InsidiousGh0st",
				"Ps2dllLoader",
				"SerialPktdoor",
				"SharpJSHandler",
				"SharpZulip",
				"SilentGh0st",
				"Stubbedoor",
				"TranslucentGh0st",
				"xkeylog"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cd48e0e6-b206-478d-bcb4-198be54bdf7a",
			"created_at": "2024-06-07T02:00:04.002734Z",
			"updated_at": "2026-04-10T02:00:03.644376Z",
			"deleted_at": null,
			"main_name": "Unfading Sea Haze",
			"aliases": [],
			"source_name": "MISPGALAXY:Unfading Sea Haze",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434410,
	"ts_updated_at": 1775792004,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5c00124e2ccc65b777ca6009f6475db73d7287cd.pdf",
		"text": "https://archive.orkl.eu/5c00124e2ccc65b777ca6009f6475db73d7287cd.txt",
		"img": "https://archive.orkl.eu/5c00124e2ccc65b777ca6009f6475db73d7287cd.jpg"
	}
}