{
	"id": "e205f951-f7ab-4c2d-86c5-0b1fe9404942",
	"created_at": "2026-04-06T00:11:55.52882Z",
	"updated_at": "2026-04-10T03:34:57.572217Z",
	"deleted_at": null,
	"sha1_hash": "64f126a6881145e50dea616e7c2352ef2561dc50",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56681,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:53:15 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PLEAD\n Tool: PLEAD\nNames\nPLEAD\nDRAWDOWN\nGOODTIMES\nLinopid\nTSCookie\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Credential stealer, Exfiltration\nDescription\n(Trend Micro) PLEAD’s backdoor can:\n• Harvest saved credentials from browsers and email clients like Outlook\n• List drives, processes, open windows, and files\n• Open remote Shell\n• Upload target file\n• Execute applications via ShellExecute API\n• Delete target file\nInformation\nMITRE ATT\u0026CK Malpedia\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9ed8c80d-8d26-487b-8b98-a31c2206e2ae\nPage 1 of 2\n\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:PLEAD\u003e\r\nLast change to this tool card: 30 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool PLEAD\r\nChanged Name Country Observed\r\nAPT groups\r\n  BlackTech, Circuit Panda, Radio Panda 2010-Oct 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9ed8c80d-8d26-487b-8b98-a31c2206e2ae\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9ed8c80d-8d26-487b-8b98-a31c2206e2ae\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9ed8c80d-8d26-487b-8b98-a31c2206e2ae"
	],
	"report_names": [
		"listgroups.cgi?u=9ed8c80d-8d26-487b-8b98-a31c2206e2ae"
	],
	"threat_actors": [
		{
			"id": "efa7c047-b61c-4598-96d5-e00d01dec96b",
			"created_at": "2022-10-25T16:07:23.404442Z",
			"updated_at": "2026-04-10T02:00:04.584239Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"BlackTech",
				"Canary Typhoon",
				"Circuit Panda",
				"Earth Hundun",
				"G0098",
				"Manga Taurus",
				"Operation PLEAD",
				"Operation Shrouded Crossbow",
				"Operation Waterbear",
				"Palmerworm",
				"Radio Panda",
				"Red Djinn",
				"T-APT-03",
				"TEMP.Overboard"
			],
			"source_name": "ETDA:BlackTech",
			"tools": [
				"BIFROST",
				"BUSYICE",
				"BendyBear",
				"Bluether",
				"CAPGELD",
				"DRIGO",
				"Deuterbear",
				"Flagpro",
				"GOODTIMES",
				"Gh0stTimes",
				"IconDown",
				"KIVARS",
				"LOLBAS",
				"LOLBins",
				"Linopid",
				"Living off the Land",
				"TSCookie",
				"Waterbear",
				"XBOW",
				"elf.bifrose"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2646f776-792a-4498-967b-ec0d3498fdf1",
			"created_at": "2022-10-25T15:50:23.475784Z",
			"updated_at": "2026-04-10T02:00:05.269591Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"BlackTech",
				"Palmerworm"
			],
			"source_name": "MITRE:BlackTech",
			"tools": [
				"Kivars",
				"PsExec",
				"TSCookie",
				"Flagpro",
				"Waterbear"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75024aad-424b-449a-b286-352fe9226bcb",
			"created_at": "2023-01-06T13:46:38.962724Z",
			"updated_at": "2026-04-10T02:00:03.164536Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"CIRCUIT PANDA",
				"Temp.Overboard",
				"Palmerworm",
				"G0098",
				"T-APT-03",
				"Manga Taurus",
				"Earth Hundun",
				"Mobwork",
				"HUAPI",
				"Red Djinn",
				"Canary Typhoon"
			],
			"source_name": "MISPGALAXY:BlackTech",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b",
			"created_at": "2025-08-07T02:03:24.569066Z",
			"updated_at": "2026-04-10T02:00:03.730864Z",
			"deleted_at": null,
			"main_name": "BRONZE CANAL",
			"aliases": [
				"BlackTech",
				"CTG-6177 ",
				"Circuit Panda ",
				"Earth Hundun",
				"Palmerworm ",
				"Red Djinn",
				"Shrouded Crossbow "
			],
			"source_name": "Secureworks:BRONZE CANAL",
			"tools": [
				"Bifrose",
				"DRIGO",
				"Deuterbear",
				"Flagpro",
				"Gh0stTimes",
				"KIVARS",
				"PLEAD",
				"Spiderpig",
				"Waterbear",
				"XBOW"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "c93a7f58-3f75-487c-9bd6-e705b73fc07f",
			"created_at": "2023-01-06T13:46:38.330916Z",
			"updated_at": "2026-04-10T02:00:02.931171Z",
			"deleted_at": null,
			"main_name": "RADIO PANDA",
			"aliases": [
				"Shrouded Crossbow"
			],
			"source_name": "MISPGALAXY:RADIO PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434315,
	"ts_updated_at": 1775792097,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/64f126a6881145e50dea616e7c2352ef2561dc50.pdf",
		"text": "https://archive.orkl.eu/64f126a6881145e50dea616e7c2352ef2561dc50.txt",
		"img": "https://archive.orkl.eu/64f126a6881145e50dea616e7c2352ef2561dc50.jpg"
	}
}