{
	"id": "de8a46b2-7755-4d25-b63e-c7e0a5b5497f",
	"created_at": "2026-04-06T00:22:32.666963Z",
	"updated_at": "2026-04-10T03:37:55.917051Z",
	"deleted_at": null,
	"sha1_hash": "6d1f899ca8dd80dada1b815db8f107c4e429e71c",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56627,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:12:45 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Ghole\n Tool: Ghole\nNames\nGhole\nGholee\nCoreImpact (Modified)\nCategory Tools\nType Vulnerability scanner\nDescription\n(Trend Micro) GHOLE is a malware family derived from a modified Core Impact\nproduct. Core Impact is a penetration-testing product made by Core Security, a legitimate\ncompany.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 28 December 2022\nDownload this tool card in JSON format\nAll groups using tool Ghole\nChanged Name Country Observed\nAPT groups\n Rocket Kitten, Newscaster, NewsBeef 2011-2017\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eb0a13e3-f329-4d98-92fe-cda2a9f4b8ae\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eb0a13e3-f329-4d98-92fe-cda2a9f4b8ae\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eb0a13e3-f329-4d98-92fe-cda2a9f4b8ae\r\nPage 2 of 2\n\nAPT groups Rocket Kitten, Newscaster, NewsBeef 2011-2017 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eb0a13e3-f329-4d98-92fe-cda2a9f4b8ae"
	],
	"report_names": [
		"listgroups.cgi?u=eb0a13e3-f329-4d98-92fe-cda2a9f4b8ae"
	],
	"threat_actors": [
		{
			"id": "029625d2-9734-44f9-9e10-b894b4f57f08",
			"created_at": "2023-01-06T13:46:38.364105Z",
			"updated_at": "2026-04-10T02:00:02.944092Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"iKittens",
				"Group 83",
				"NewsBeef",
				"G0058",
				"CharmingCypress",
				"Mint Sandstorm",
				"Parastoo"
			],
			"source_name": "MISPGALAXY:Charming Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03",
			"created_at": "2025-08-07T02:03:24.746965Z",
			"updated_at": "2026-04-10T02:00:03.640335Z",
			"deleted_at": null,
			"main_name": "COBALT ILLUSION",
			"aliases": [
				"APT35 ",
				"APT42 ",
				"Agent Serpens Palo Alto",
				"Charming Kitten ",
				"CharmingCypress ",
				"Educated Manticore Checkpoint",
				"ITG18 ",
				"Magic Hound ",
				"Mint Sandstorm sub-group ",
				"NewsBeef ",
				"Newscaster ",
				"PHOSPHORUS sub-group ",
				"TA453 ",
				"UNC788 ",
				"Yellow Garuda "
			],
			"source_name": "Secureworks:COBALT ILLUSION",
			"tools": [
				"Browser Exploitation Framework (BeEF)",
				"MagicHound Toolset",
				"PupyRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b0261705-df2e-4156-9839-16314250f88a",
			"created_at": "2023-01-06T13:46:38.373617Z",
			"updated_at": "2026-04-10T02:00:02.947842Z",
			"deleted_at": null,
			"main_name": "Rocket Kitten",
			"aliases": [
				"Operation Woolen-Goldfish",
				"Thamar Reservoir",
				"Timberworm",
				"TEMP.Beanie",
				"Operation Woolen Goldfish"
			],
			"source_name": "MISPGALAXY:Rocket Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e034b94b-9655-42c4-a72e-a58807dce299",
			"created_at": "2022-10-25T16:07:24.133537Z",
			"updated_at": "2026-04-10T02:00:04.876832Z",
			"deleted_at": null,
			"main_name": "Rocket Kitten",
			"aliases": [
				"Group 83",
				"NewsBeef",
				"Newscaster",
				"Operation Newscaster",
				"Operation Woolen-GoldFish",
				"Parastoo",
				"Rocket Kitten"
			],
			"source_name": "ETDA:Rocket Kitten",
			"tools": [
				"CoreImpact (Modified)",
				"FireMalv",
				"Ghole",
				"Gholee"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8faa11f5-2a14-479c-9ea8-3779e6de9749",
			"created_at": "2022-10-25T15:50:23.814205Z",
			"updated_at": "2026-04-10T02:00:05.308465Z",
			"deleted_at": null,
			"main_name": "Ajax Security Team",
			"aliases": [
				"Ajax Security Team",
				"Operation Woolen-Goldfish",
				"AjaxTM",
				"Rocket Kitten",
				"Flying Kitten",
				"Operation Saffron Rose"
			],
			"source_name": "MITRE:Ajax Security Team",
			"tools": [
				"sqlmap",
				"Havij"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434952,
	"ts_updated_at": 1775792275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d1f899ca8dd80dada1b815db8f107c4e429e71c.pdf",
		"text": "https://archive.orkl.eu/6d1f899ca8dd80dada1b815db8f107c4e429e71c.txt",
		"img": "https://archive.orkl.eu/6d1f899ca8dd80dada1b815db8f107c4e429e71c.jpg"
	}
}