{
	"id": "f3ab3895-dc5e-487d-9e72-97a5ba22afc3",
	"created_at": "2026-04-06T00:11:33.808494Z",
	"updated_at": "2026-04-10T13:12:17.408774Z",
	"deleted_at": null,
	"sha1_hash": "6746f7e9ddc26fa3633d991c5f24a4660ff5d42a",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47901,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 10:42:53 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool TABLEFLIP\n Tool: TABLEFLIP\nNames TABLEFLIP\nCategory Malware\nType Tunneling\nDescription\n(Mandiant) To enable continued access directly from the Internet, the threat actor implemented\nTABLEFLIP (MD5: b6e92149efaf78e9ce7552297505b9d5), a passive traffic redirection utility\nthat listens on all active interfaces for specialized command packets. With this utility in place,\nand regardless of the ACL’s in place, the threat actor would be able to connect directly to the\nFortiManager as seen in Figure 15.\nInformation Last change to this tool card: 26 August 2024\nDownload this tool card in JSON format\nAll groups using tool TABLEFLIP\nChanged Name Country Observed\nAPT groups\n UNC3886 2021-Early 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a7e011e1-7edd-4166-9582-3e200d13910c\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a7e011e1-7edd-4166-9582-3e200d13910c\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a7e011e1-7edd-4166-9582-3e200d13910c"
	],
	"report_names": [
		"listgroups.cgi?u=a7e011e1-7edd-4166-9582-3e200d13910c"
	],
	"threat_actors": [
		{
			"id": "9df8987a-27fc-45c5-83b0-20dceb8288af",
			"created_at": "2025-10-29T02:00:51.836932Z",
			"updated_at": "2026-04-10T02:00:05.253487Z",
			"deleted_at": null,
			"main_name": "UNC3886",
			"aliases": [
				"UNC3886"
			],
			"source_name": "MITRE:UNC3886",
			"tools": [
				"MOPSLED",
				"VIRTUALPIE",
				"CASTLETAP",
				"THINCRUST",
				"VIRTUALPITA",
				"RIFLESPINE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d",
			"created_at": "2024-08-28T02:02:09.711951Z",
			"updated_at": "2026-04-10T02:00:04.957678Z",
			"deleted_at": null,
			"main_name": "UNC3886",
			"aliases": [
				"Fire Ant"
			],
			"source_name": "ETDA:UNC3886",
			"tools": [
				"BOLDMOVE",
				"CASTLETAP",
				"LOOKOVER",
				"MOPSLED",
				"RIFLESPINE",
				"TABLEFLIP",
				"THINCRUST",
				"Tiny SHell",
				"VIRTUALGATE",
				"VIRTUALPIE",
				"VIRTUALPITA",
				"VIRTUALSHINE",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37",
			"created_at": "2023-11-04T02:00:07.663664Z",
			"updated_at": "2026-04-10T02:00:03.385989Z",
			"deleted_at": null,
			"main_name": "UNC3886",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC3886",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434293,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6746f7e9ddc26fa3633d991c5f24a4660ff5d42a.pdf",
		"text": "https://archive.orkl.eu/6746f7e9ddc26fa3633d991c5f24a4660ff5d42a.txt",
		"img": "https://archive.orkl.eu/6746f7e9ddc26fa3633d991c5f24a4660ff5d42a.jpg"
	}
}