{ "id": "11163cc0-31b5-4a7a-b126-6467c142ac93", "created_at": "2026-04-06T00:13:57.391443Z", "updated_at": "2026-04-10T13:12:38.971875Z", "deleted_at": null, "sha1_hash": "63438869c7719edf3d6ab6f9624d4e999f23c09c", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47053, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:51:23 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool XDUpload\r\n Tool: XDUpload\r\nNames XDUpload\r\nCategory Malware\r\nType Info stealer, Exfiltration\r\nDescription\r\n(ESET) Like XDMonitor, XDUpload monitors removable drives and takes regular\r\nscreenshots. The additional feature is that it will collect a list of files that are hard coded in the\r\nbinary, as shown in Figure 11, and then upload the list to the C\u0026C server. It uses\r\n%TEMP%\\fl637136486220077590.data to keep track of how many files from the static list\r\nhave been uploaded.\r\nWe believe that the operators are checking the list of files from the C: drive, sent by XDList,\r\nand then selecting the ones that seem most interesting to them for exfiltration. What is\r\nsurprising is that the paths are directly hard coded in the samples and not retrieved\r\ndynamically by a request to the C\u0026C server. Thus, to collect additional files, the operators\r\nneed to modify their source code, recompile and drop a new version of the plug-in on the\r\nvictim’s machine.\r\nInformation \u003chttps://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf\u003e\r\nLast change to this tool card: 19 October 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool XDUpload\r\nChanged Name Country Observed\r\nAPT groups\r\n  XDSpy [Unknown] 2011-Jul 2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=03db88bb-8a3b-467d-940d-0ad5f126b562\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=03db88bb-8a3b-467d-940d-0ad5f126b562\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=03db88bb-8a3b-467d-940d-0ad5f126b562\r\nPage 2 of 2\n\nAPT groups XDSpy [Unknown] 2011-Jul 2024 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=03db88bb-8a3b-467d-940d-0ad5f126b562" ], "report_names": [ "listgroups.cgi?u=03db88bb-8a3b-467d-940d-0ad5f126b562" ], "threat_actors": [ { "id": "69cba9ab-de35-4103-a699-7d243bcfd196", "created_at": "2023-01-06T13:46:39.159472Z", "updated_at": "2026-04-10T02:00:03.233731Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "MISPGALAXY:XDSpy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d69b3831-de95-42c9-b4b6-26232627206f", "created_at": "2022-10-25T16:07:24.429466Z", "updated_at": "2026-04-10T02:00:04.985102Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "ETDA:XDSpy", "tools": [ "ChromePass", "IE PassView", "MailPassView", "Network Password Recovery", "OperaPassView", "PasswordFox", "Protected Storage PassView", "XDDown", "XDList", "XDLoc", "XDMonitor", "XDPass", "XDRecon", "XDUpload" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434437, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63438869c7719edf3d6ab6f9624d4e999f23c09c.pdf", "text": "https://archive.orkl.eu/63438869c7719edf3d6ab6f9624d4e999f23c09c.txt", "img": "https://archive.orkl.eu/63438869c7719edf3d6ab6f9624d4e999f23c09c.jpg" } }