{ "id": "2368f915-fe17-415a-b8b8-9bf00bf4ca82", "created_at": "2026-04-06T00:21:42.335691Z", "updated_at": "2026-04-10T13:11:50.601752Z", "deleted_at": null, "sha1_hash": "6b32f7bca47f716abc86d81fbd188785cd3f0a21", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48638, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:07:14 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Whitebird\r\n Tool: Whitebird\r\nNames Whitebird\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Dr.Web) A multifunctional backdoor trojan for Microsoft Windows 64-bit operating systems.\r\nIts function is to establish an encrypted connection with the C\u0026C server and grant\r\nunauthorized access to the infected computer. It has a file manager, proxy server and remote\r\nshell capabilities. It was used in targeted attacks on state institutions in Kazakhstan and\r\nKyrgyzstan. Similar to BackDoor.PlugX, this modification was used to infiltrate the network\r\ninfrastructure.\r\nInformation \u003chttps://vms.drweb.co.jp/virus/?i=21507715\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird\u003e\r\nLast change to this tool card: 28 December 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Whitebird\r\nChanged Name Country Observed\r\nAPT groups\r\n  Calypso 2016-Aug 2021  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fa199794-92f7-4f93-aac1-969d8747f6f3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fa199794-92f7-4f93-aac1-969d8747f6f3\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fa199794-92f7-4f93-aac1-969d8747f6f3" ], "report_names": [ "listgroups.cgi?u=fa199794-92f7-4f93-aac1-969d8747f6f3" ], "threat_actors": [ { "id": "3c5b0e7e-2388-4b63-9b97-6b027bec4bf7", "created_at": "2023-01-06T13:46:39.068694Z", "updated_at": "2026-04-10T02:00:03.202867Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "BRONZE MEDLEY" ], "source_name": "MISPGALAXY:Calypso", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13d9c5fc-af82-4474-90dd-188c4e40a399", "created_at": "2022-10-25T16:07:23.435079Z", "updated_at": "2026-04-10T02:00:04.601572Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "Bronze Medley" ], "source_name": "ETDA:Calypso", "tools": [ "Agent.dhwf", "Byeby", "Calypso RAT", "DCSync", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "EternalRomance", "FlyingDutchman", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "NBTscan", "OS_Check_445", "PlugX", "Quarks PwDump", "RedDelta", "SAMRID", "Sogu", "SysInternals", "TCP Port Scanner", "TIGERPLUG", "TVT", "Thoper", "Whitebird", "Xamtrav", "ZXPortMap", "nbtscan", "netcat" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434902, "ts_updated_at": 1775826710, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6b32f7bca47f716abc86d81fbd188785cd3f0a21.pdf", "text": "https://archive.orkl.eu/6b32f7bca47f716abc86d81fbd188785cd3f0a21.txt", "img": "https://archive.orkl.eu/6b32f7bca47f716abc86d81fbd188785cd3f0a21.jpg" } }