{
	"id": "c62c6d9c-bcd6-4484-a29f-2de40814de21",
	"created_at": "2026-04-06T00:13:41.63277Z",
	"updated_at": "2026-04-10T03:30:57.841744Z",
	"deleted_at": null,
	"sha1_hash": "6c2209f787db05af0069b2ea3e3ed66c7b268adb",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47145,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:20:05 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BlueShell\n Tool: BlueShell\nNames BlueShell\nCategory Malware\nType Backdoor\nDescription\nAccording to AhnLab, BlueShell is a backdoor malware developed in Go language, published\non Github, and it supports Windows, Linux, and Mac operating systems. Currently, the\noriginal Github repository is presumed to have been deleted, but the BlueShell source code can\nstill be obtained from other repositories. It features an explanatory ReadMe file in Chinese,\nindicating the possibility that the creator is a Chinese user.\nInformation\nMalpedia Last change to this tool card: 30 November 2023\nDownload this tool card in JSON format\nAll groups using tool BlueShell\nChanged Name Country Observed\nAPT groups\n Dalbit 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aea9389f-b491-406e-90fe-1c35da3a353f\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aea9389f-b491-406e-90fe-1c35da3a353f\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aea9389f-b491-406e-90fe-1c35da3a353f"
	],
	"report_names": [
		"listgroups.cgi?u=aea9389f-b491-406e-90fe-1c35da3a353f"
	],
	"threat_actors": [
		{
			"id": "bcf899bb-34bb-43e1-929d-02bc91974f2a",
			"created_at": "2023-02-18T02:04:24.050644Z",
			"updated_at": "2026-04-10T02:00:04.639142Z",
			"deleted_at": null,
			"main_name": "Dalbit",
			"aliases": [],
			"source_name": "ETDA:Dalbit",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"AntSword",
				"BadPotato",
				"BlueShell",
				"CHINACHOPPER",
				"China Chopper",
				"Cobalt Strike",
				"CobaltStrike",
				"EFSPotato",
				"FRP",
				"Fast Reverse Proxy",
				"Godzilla",
				"Godzilla Loader",
				"HTran",
				"HUC Packet Transmit Tool",
				"JuicyPotato",
				"LadonGo",
				"Metasploit",
				"Mimikatz",
				"NPS",
				"ProcDump",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"RottenPotato",
				"SinoChopper",
				"SweetPotato",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5",
			"created_at": "2023-11-08T02:00:07.176033Z",
			"updated_at": "2026-04-10T02:00:03.435082Z",
			"deleted_at": null,
			"main_name": "Dalbit",
			"aliases": [],
			"source_name": "MISPGALAXY:Dalbit",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434421,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c2209f787db05af0069b2ea3e3ed66c7b268adb.pdf",
		"text": "https://archive.orkl.eu/6c2209f787db05af0069b2ea3e3ed66c7b268adb.txt",
		"img": "https://archive.orkl.eu/6c2209f787db05af0069b2ea3e3ed66c7b268adb.jpg"
	}
}