{ "id": "c01d23c3-61f2-466f-8952-4b698438e2b8", "created_at": "2026-04-06T01:32:19.701182Z", "updated_at": "2026-04-10T03:32:20.944884Z", "deleted_at": null, "sha1_hash": "6f865e91b1fa085f1a90fc479318dfd7bbce2e11", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52440, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:42:39 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BigpipeLoader\r\n Tool: BigpipeLoader\r\nNames BigpipeLoader\r\nCategory Malware\r\nType Loader\r\nDescription\r\n(Trend Micro) Since this loader will read/write encrypted payload through a named pipe, we\r\nnamed this shellcode loader BigpipeLoader. In one of our threat hunting sessions, we found\r\ntwo variants of this loader with different execution procedures. The first variant of\r\nBigpipeLoader just drops the decoy file and loads the Cobalt Strike payload into the memory,\r\nthen proceeds to execute it. In the second variant, however, the attacker creates a dropper,\r\nwhich drops the malicious WTSAPI32.dll designed to be sideloaded by a legitimate\r\napplication with the file name “wusa.exe”. This launches the encrypted BigpipeLoader\r\n(chrome.inf). Both variants of BigpipeLoader use the AES-128-CFB algorithm to decrypt the\r\npayload.\r\nInformation\r\n\u003chttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\u003e\r\nLast change to this tool card: 19 November 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool BigpipeLoader\r\nChanged Name Country Observed\r\nAPT groups\r\n      ↳ Subgroup: Earth Longzhi 2020-Apr 2023  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bf77aa3f-d900-4311-91f0-47f5d8c9a6e1\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bf77aa3f-d900-4311-91f0-47f5d8c9a6e1\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bf77aa3f-d900-4311-91f0-47f5d8c9a6e1\r\nPage 2 of 2\n\nAPT groups ↳ Subgroup: Earth Longzhi 2020-Apr 2023 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bf77aa3f-d900-4311-91f0-47f5d8c9a6e1" ], "report_names": [ "listgroups.cgi?u=bf77aa3f-d900-4311-91f0-47f5d8c9a6e1" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b317799-01c0-48fa-aee2-31a738116771", "created_at": "2022-11-20T02:02:37.746719Z", "updated_at": "2026-04-10T02:00:04.561617Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "Earth Longzhi" ], "source_name": "ETDA:Earth Longzhi", "tools": [ "Agentemis", "BigpipeLoader", "Cobalt Strike", "CobaltStrike", "CroxLoader", "MultiPipeLoader", "OutLoader", "Symatic Loader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d196cb29-a861-4838-b157-a31ac92c6fb1", "created_at": "2023-11-04T02:00:07.66699Z", "updated_at": "2026-04-10T02:00:03.386945Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "SnakeCharmer" ], "source_name": "MISPGALAXY:Earth Longzhi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439139, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6f865e91b1fa085f1a90fc479318dfd7bbce2e11.pdf", "text": "https://archive.orkl.eu/6f865e91b1fa085f1a90fc479318dfd7bbce2e11.txt", "img": "https://archive.orkl.eu/6f865e91b1fa085f1a90fc479318dfd7bbce2e11.jpg" } }