{
	"id": "936b4d5a-8fe5-4b72-923d-8fb57b00abaa",
	"created_at": "2026-04-06T00:18:29.283564Z",
	"updated_at": "2026-04-10T13:11:59.859688Z",
	"deleted_at": null,
	"sha1_hash": "6c10bc2264f98475316d5dc0c8bb3c094b273ebd",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50562,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:49:23 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool LOWBALL\n Tool: LOWBALL\nNames LOWBALL\nCategory Malware\nType Backdoor, Exfiltration\nDescription\n(FireEye) This backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage service to act as the CnC server. It uses the Dropbox API with a hardcoded\nbearer access token and has the ability to download, upload, and execute files. The\ncommunication occurs via HTTPS over port 443.\nInformation MITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool LOWBALL\nChanged Name Country Observed\nAPT groups\n Temper Panda, admin@338 2014\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1cf868dc-4067-40c8-aaec-a47cfac9f37c\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1cf868dc-4067-40c8-aaec-a47cfac9f37c\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1cf868dc-4067-40c8-aaec-a47cfac9f37c"
	],
	"report_names": [
		"listgroups.cgi?u=1cf868dc-4067-40c8-aaec-a47cfac9f37c"
	],
	"threat_actors": [
		{
			"id": "9d6f666e-3a9d-4a09-bcac-8aee96572827",
			"created_at": "2022-10-25T15:50:23.2832Z",
			"updated_at": "2026-04-10T02:00:05.268714Z",
			"deleted_at": null,
			"main_name": "admin@338",
			"aliases": [
				"admin@338"
			],
			"source_name": "MITRE:admin@338",
			"tools": [
				"BUBBLEWRAP",
				"LOWBALL",
				"Systeminfo",
				"PoisonIvy",
				"netstat",
				"ipconfig"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1f29d13d-268d-4c26-ac4a-1ce8cebdbd3a",
			"created_at": "2023-01-06T13:46:38.351187Z",
			"updated_at": "2026-04-10T02:00:02.938577Z",
			"deleted_at": null,
			"main_name": "TEMPER PANDA",
			"aliases": [
				"Admin338",
				"Team338",
				"admin@338",
				"G0018"
			],
			"source_name": "MISPGALAXY:TEMPER PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c23ca3e9-6b58-4f24-b4eb-ce3b24815ac4",
			"created_at": "2022-10-25T16:07:24.313367Z",
			"updated_at": "2026-04-10T02:00:04.932247Z",
			"deleted_at": null,
			"main_name": "Temper Panda",
			"aliases": [
				"G0018",
				"Team338",
				"Temper Panda",
				"admin@338"
			],
			"source_name": "ETDA:Temper Panda",
			"tools": [
				"BUBBLEWRAP",
				"Backdoor.APT.FakeWinHTTPHelper",
				"Bozok",
				"Bozok RAT",
				"Chymine",
				"Darkmoon",
				"Gen:Trojan.Heur.PT",
				"LOLBAS",
				"LOLBins",
				"LOWBALL",
				"Living off the Land",
				"Poison Ivy",
				"SPIVY",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434709,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c10bc2264f98475316d5dc0c8bb3c094b273ebd.pdf",
		"text": "https://archive.orkl.eu/6c10bc2264f98475316d5dc0c8bb3c094b273ebd.txt",
		"img": "https://archive.orkl.eu/6c10bc2264f98475316d5dc0c8bb3c094b273ebd.jpg"
	}
}