{
	"id": "d42dedd9-7f01-4f3a-9627-107145b46b9f",
	"created_at": "2026-04-06T03:35:55.141937Z",
	"updated_at": "2026-04-10T13:11:51.021566Z",
	"deleted_at": null,
	"sha1_hash": "5e181eed7e9edeca9564a6e258c0cd19d3648d9b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43840,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 03:15:24 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WINGHOOK\r\n Tool: WINGHOOK\r\nNames WINGHOOK\r\nCategory Malware\r\nType Credential stealer\r\nDescription\r\n(Mandiant) WINGHOOK is a keylogger for Linux and Unix based operating systems. It is\r\npackaged as a shared library (SO file) that hooks the read and fgets functions, which are two\r\ncommon functions used for processing user input. The captured data is stored in an encoded\r\nformat in the directory /var/tmp/ with a filename that begins with .zmanDw.\r\nInformation \u003chttps://www.mandiant.com/resources/unc2891-overview\u003e\r\nLast change to this tool card: 03 April 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool WINGHOOK\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC2891 [Unknown] 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=397ad497-a122-48d7-895a-35cdd285f102\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=397ad497-a122-48d7-895a-35cdd285f102\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=397ad497-a122-48d7-895a-35cdd285f102"
	],
	"report_names": [
		"listgroups.cgi?u=397ad497-a122-48d7-895a-35cdd285f102"
	],
	"threat_actors": [
		{
			"id": "8b0219d5-cb32-4702-a4d6-7de8beb9b7a8",
			"created_at": "2022-10-25T16:07:24.364598Z",
			"updated_at": "2026-04-10T02:00:04.955871Z",
			"deleted_at": null,
			"main_name": "UNC2891",
			"aliases": [],
			"source_name": "ETDA:UNC2891",
			"tools": [
				"BINBASH",
				"CAKETAP",
				"MIGLOGCLEANER",
				"SLAPSTICK",
				"STEELCORGI",
				"STEELHOUND",
				"SUN4ME",
				"Tiny SHell",
				"WINGCRACK",
				"WINGHOOK",
				"WIPERIGHT",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446555,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e181eed7e9edeca9564a6e258c0cd19d3648d9b.pdf",
		"text": "https://archive.orkl.eu/5e181eed7e9edeca9564a6e258c0cd19d3648d9b.txt",
		"img": "https://archive.orkl.eu/5e181eed7e9edeca9564a6e258c0cd19d3648d9b.jpg"
	}
}