{
	"id": "91cd2de0-eb5b-44cf-8395-84e8754b6a56",
	"created_at": "2026-04-06T00:12:29.656544Z",
	"updated_at": "2026-04-10T03:36:00.559437Z",
	"deleted_at": null,
	"sha1_hash": "70acf99a2633809865a39d7791e69cd3b75f7027",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54129,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:37:37 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ETUMBOT\n Tool: ETUMBOT\nNames\nETUMBOT\nRIPTIDE\nHIGHTIDE\nExploz\nSpecfix\nCategory Malware\nType Backdoor\nDescription\n(FireEye) FireEye observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that\ncommunicates via HTTP to a hard-coded command and control (C2) server. RIPTIDE’s\nfirst communication with its C2 server fetches an encryption key, and the RC4\nencryption key is used to encrypt all further communication.\nIn June 2014, Arbor Networks published an article describing the RIPTIDE backdoor\nand its C2 infrastructure in great depth. The blog highlighted that the backdoor was\nutilized in campaigns from March 2011 till May 2014.\nFollowing the release of the article, FireEye observed a distinct change in RIPTIDE’s\nprotocols and strings. We suspect this change was a direct result of the Arbor blog post\nin order to decrease detection of RIPTIDE by security vendors. The changes to\nRIPTIDE were significant enough to circumvent existing RIPTIDE detection rules.\nFireEye dubbed this new malware family HIGHTIDE.\nInformation\nMITRE ATT\u0026CK Malpedia https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2f137525-43e3-4296-bbcd-b7d626694f4a\nPage 1 of 2\n\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:etumbot\u003e\r\nLast change to this tool card: 13 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool ETUMBOT\r\nChanged Name Country Observed\r\nAPT groups\r\n  APT 12, Numbered Panda 2009-Nov 2016  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2f137525-43e3-4296-bbcd-b7d626694f4a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2f137525-43e3-4296-bbcd-b7d626694f4a\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2f137525-43e3-4296-bbcd-b7d626694f4a"
	],
	"report_names": [
		"listgroups.cgi?u=2f137525-43e3-4296-bbcd-b7d626694f4a"
	],
	"threat_actors": [
		{
			"id": "c5f79f58-db78-4cd7-88cf-c029a2199360",
			"created_at": "2022-10-25T16:07:23.325227Z",
			"updated_at": "2026-04-10T02:00:04.542909Z",
			"deleted_at": null,
			"main_name": "APT 12",
			"aliases": [
				"APT 12",
				"BeeBus",
				"Bronze Globe",
				"CTG-8223",
				"Calc Team",
				"Crimson Iron",
				"DNSCalc",
				"DynCALC",
				"G0005",
				"Group 22",
				"Hexagon Typhoon",
				"Numbered Panda"
			],
			"source_name": "ETDA:APT 12",
			"tools": [
				"AUMLIB",
				"ETUMBOT",
				"Exploz",
				"Graftor",
				"HIGHTIDE",
				"IHEATE",
				"IXESHE",
				"RIPTIDE",
				"RapidStealer",
				"Specfix",
				"THREEBYTE",
				"bbsinfo",
				"mswab",
				"yayih"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d18fe42c-8407-4f96-aee0-a04e6dce219a",
			"created_at": "2023-01-06T13:46:38.275292Z",
			"updated_at": "2026-04-10T02:00:02.907303Z",
			"deleted_at": null,
			"main_name": "APT12",
			"aliases": [
				"Group 22",
				"Calc Team",
				"DNSCalc",
				"IXESHE",
				"Hexagon Typhoon",
				"BeeBus",
				"DynCalc",
				"Crimson Iron",
				"BRONZE GLOBE",
				"NUMBERED PANDA",
				"TG-2754"
			],
			"source_name": "MISPGALAXY:APT12",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6a660ea2-1118-404a-9f8f-f0d6a1e9f184",
			"created_at": "2022-10-25T15:50:23.685924Z",
			"updated_at": "2026-04-10T02:00:05.364493Z",
			"deleted_at": null,
			"main_name": "APT12",
			"aliases": [
				"APT12",
				"IXESHE",
				"DynCalc",
				"Numbered Panda",
				"DNSCALC"
			],
			"source_name": "MITRE:APT12",
			"tools": [
				"Ixeshe",
				"RIPTIDE",
				"HTRAN"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "dc0eb4da-1f8c-4f2a-9530-62b0efbb1c35",
			"created_at": "2025-08-07T02:03:24.608888Z",
			"updated_at": "2026-04-10T02:00:03.749632Z",
			"deleted_at": null,
			"main_name": "BRONZE GLOBE",
			"aliases": [
				"APT12 ",
				"CTG-8223 ",
				"DyncCalc ",
				"Numbered Panda ",
				"PortCalc"
			],
			"source_name": "Secureworks:BRONZE GLOBE",
			"tools": [
				"Badpuck",
				"BeepService",
				"Etumbot",
				"Gh0st RAT",
				"Ixeshe",
				"Mswab",
				"RAdmin",
				"Seatran",
				"SvcInstaller",
				"Ziyang"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434349,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70acf99a2633809865a39d7791e69cd3b75f7027.pdf",
		"text": "https://archive.orkl.eu/70acf99a2633809865a39d7791e69cd3b75f7027.txt",
		"img": "https://archive.orkl.eu/70acf99a2633809865a39d7791e69cd3b75f7027.jpg"
	}
}