{
	"id": "04fd9d9b-915b-4a69-853a-2ecb709c7056",
	"created_at": "2026-04-06T00:17:02.14827Z",
	"updated_at": "2026-04-10T13:12:34.016788Z",
	"deleted_at": null,
	"sha1_hash": "5d8b25a7bd9a77890589bb277f85078946adfb52",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47982,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:12:12 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Owowa\n Tool: Owowa\nNames Owowa\nCategory Malware\nType Credential stealer\nDescription\n(Kaspersky) While looking for potentially malicious implants that targeted Microsoft\nExchange servers, we identified a suspicious binary that had been submitted to a multiscanner\nservice in late 2020. Analyzing the code, we determined that the previously unknown binary is\nan IIS module, aimed at stealing credentials and enabling remote command execution from\nOWA. We named the malicious module ‘Owowa’, and identified several compromised servers\nlocated in Asia.\nInformation Malpedia Last change to this tool card: 27 December 2022\nDownload this tool card in JSON format\nAll groups using tool Owowa\nChanged Name Country Observed\nAPT groups\n Gelsemium 2014-2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=02cb4fac-80e9-42d0-9722-552fb9a706b2\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=02cb4fac-80e9-42d0-9722-552fb9a706b2\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=02cb4fac-80e9-42d0-9722-552fb9a706b2"
	],
	"report_names": [
		"listgroups.cgi?u=02cb4fac-80e9-42d0-9722-552fb9a706b2"
	],
	"threat_actors": [
		{
			"id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424",
			"created_at": "2023-01-06T13:46:39.290101Z",
			"updated_at": "2026-04-10T02:00:03.275981Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"狼毒草"
			],
			"source_name": "MISPGALAXY:Gelsemium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77874718-7ad2-4d15-9831-10935ab9bcbe",
			"created_at": "2022-10-25T15:50:23.619911Z",
			"updated_at": "2026-04-10T02:00:05.349462Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Gelsemium"
			],
			"source_name": "MITRE:Gelsemium",
			"tools": [
				"Gelsemium",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b5550c4e-943a-45ea-bf67-875b989ee4c4",
			"created_at": "2022-10-25T16:07:23.675771Z",
			"updated_at": "2026-04-10T02:00:04.707782Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Operation NightScout",
				"Operation TooHash"
			],
			"source_name": "ETDA:Gelsemium",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"Chrommme",
				"Cobalt Strike",
				"CobaltStrike",
				"FireWood",
				"Gelsemine",
				"Gelsenicine",
				"Gelsevirine",
				"JuicyPotato",
				"OwlProxy",
				"Owowa",
				"SAMRID",
				"SessionManager",
				"SinoChopper",
				"SpoolFool",
				"SweetPotato",
				"WolfsBane",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434622,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5d8b25a7bd9a77890589bb277f85078946adfb52.pdf",
		"text": "https://archive.orkl.eu/5d8b25a7bd9a77890589bb277f85078946adfb52.txt",
		"img": "https://archive.orkl.eu/5d8b25a7bd9a77890589bb277f85078946adfb52.jpg"
	}
}