{
	"id": "311c1ace-bd8e-4f9d-b860-ada2af202e4b",
	"created_at": "2026-04-06T00:06:24.704146Z",
	"updated_at": "2026-04-10T03:23:34.965086Z",
	"deleted_at": null,
	"sha1_hash": "6cf6695286f9da243275e333ff5785b12ab8e213",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48597,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:04:39 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool NineBlog\r\n Tool: NineBlog\r\nNames NineBlog\r\nCategory Malware\r\nType Reconnaissance, Backdoor\r\nDescription\r\n(FireEye) We noticed the decoded VBScript backdoors from recent activity were nearly\r\nidentical (with some small changes) to the first NINEBLOG variants we observed in 2013.\r\nThe minimal code changes may be due to the fact that the encoding provides enough\r\nobfuscation to prevent detection, allowing the core functionality of the backdoor to remain the\r\nsame. Additionally, newer variants of the VBScript include some code enhancements.\r\nInformation\r\n\u003chttps://www2.fireeye.com/rs/848-DID-242/images/rpt-southeast-asia-fall-2015.pdf\u003e\r\n\u003chttps://www.fireeye.com/blog/threat-research/2013/08/the-curious-case-of-encoded-vb-scripts-apt-nineblog.html\u003e\r\nLast change to this tool card: 01 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool NineBlog\r\nChanged Name Country Observed\r\nAPT groups\r\n  NineBlog 2013  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=50eee0e3-8e91-4f31-b1c2-e7d939b1625c\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=50eee0e3-8e91-4f31-b1c2-e7d939b1625c\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=50eee0e3-8e91-4f31-b1c2-e7d939b1625c"
	],
	"report_names": [
		"listgroups.cgi?u=50eee0e3-8e91-4f31-b1c2-e7d939b1625c"
	],
	"threat_actors": [
		{
			"id": "b3cfe392-a8df-42bc-bc9a-3233ec5d6d5f",
			"created_at": "2022-10-25T16:07:23.90923Z",
			"updated_at": "2026-04-10T02:00:04.785642Z",
			"deleted_at": null,
			"main_name": "NineBlog",
			"aliases": [],
			"source_name": "ETDA:NineBlog",
			"tools": [
				"NineBlog"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433984,
	"ts_updated_at": 1775791414,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6cf6695286f9da243275e333ff5785b12ab8e213.pdf",
		"text": "https://archive.orkl.eu/6cf6695286f9da243275e333ff5785b12ab8e213.txt",
		"img": "https://archive.orkl.eu/6cf6695286f9da243275e333ff5785b12ab8e213.jpg"
	}
}