{ "id": "9bb9741f-0807-464e-a5d4-dbba32639fe5", "created_at": "2026-04-06T00:11:44.744005Z", "updated_at": "2026-04-10T13:11:27.875574Z", "deleted_at": null, "sha1_hash": "66d403878fc160237538b13c834be56dc89f9087", "title": "GUP Proxy Tool - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46353, "plain_text": "GUP Proxy Tool - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 19:50:35 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool GUP Proxy Tool\r\n Tool: GUP Proxy Tool\r\nNames GUP Proxy Tool\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Proofpoint) The GUP command and control proxy tool may impersonate the name of a piece\r\nof legitimate opensource software available at wingup[.]org, which is used by Notepad++. In\r\nhistoric campaigns by APT adversaries, legitimate GUP.exe versions were utilized that were\r\ndigitally signed by Notepad++. In this campaign, files appeared to impersonate the GUP.exe\r\nfile name rather than being a legitimate signed binary. The function of this tool is to set up a\r\nTCP listener on a localhost, receive encoded data via requests from\r\nthe SodomNormal localhost module, and to forward this data to the command and control IP\r\nvia HTTP. The GUP Proxy Tool has a hardcoded configuration which is included as both\r\nstrings and integers.\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.gup_proxy\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool GUP Proxy Tool\r\nChanged Name Country Observed\r\nAPT groups\r\n  LookBack, TA410 [Unknown] 2019-Feb 2022  \r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bbb65fa6-b7ba-4d24-9b9d-5e189dcba544\r\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bbb65fa6-b7ba-4d24-9b9d-5e189dcba544\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bbb65fa6-b7ba-4d24-9b9d-5e189dcba544\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bbb65fa6-b7ba-4d24-9b9d-5e189dcba544" ], "report_names": [ "listgroups.cgi?u=bbb65fa6-b7ba-4d24-9b9d-5e189dcba544" ], "threat_actors": [ { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434304, "ts_updated_at": 1775826687, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/66d403878fc160237538b13c834be56dc89f9087.pdf", "text": "https://archive.orkl.eu/66d403878fc160237538b13c834be56dc89f9087.txt", "img": "https://archive.orkl.eu/66d403878fc160237538b13c834be56dc89f9087.jpg" } }