{ "id": "04912113-e96d-46ec-adcf-ca3e4bf3c58d", "created_at": "2026-04-06T00:09:27.098025Z", "updated_at": "2026-04-10T03:31:57.087851Z", "deleted_at": null, "sha1_hash": "74da8f2ca97c283e8e573fb59528d9b1b2968074", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49477, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:49:41 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool dneSpy\r\n Tool: dneSpy\r\nNames dneSpy\r\nCategory Malware\r\nType Backdoor, Info stealer, Exfiltration\r\nDescription\r\nDneSpy collects information, takes screenshots, and downloads and executes the latest version\r\nof other malicious components in the infected system. The malware is designed to receive a\r\n“policy” file in JSON format with all the commands to execute. The policy file sent by the\r\nC\u0026C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the\r\nC\u0026C server. These characteristics make dneSpy a fully functional espionage backdoor.\r\nInformation\r\n\u003chttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\u003e\r\n\u003chttps://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy\u003e\r\nLast change to this tool card: 29 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool dneSpy\r\nChanged Name Country Observed\r\nAPT groups\r\n  Operation Earth Kitsune 2019-Late 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1be82a99-1719-48c3-a640-e93743a4c823\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1be82a99-1719-48c3-a640-e93743a4c823\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1be82a99-1719-48c3-a640-e93743a4c823\r\nPage 2 of 2\n\nAPT groups Operation Earth Kitsune 2019-Late 2022 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1be82a99-1719-48c3-a640-e93743a4c823" ], "report_names": [ "listgroups.cgi?u=1be82a99-1719-48c3-a640-e93743a4c823" ], "threat_actors": [ { "id": "6158a31d-091c-4a5a-a82b-938e3d0b0e87", "created_at": "2023-11-17T02:00:07.61151Z", "updated_at": "2026-04-10T02:00:03.459947Z", "deleted_at": null, "main_name": "Earth Kitsune", "aliases": [], "source_name": "MISPGALAXY:Earth Kitsune", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3f6650a3-9f50-47c4-bd7a-008b63bde191", "created_at": "2022-10-25T16:07:23.949232Z", "updated_at": "2026-04-10T02:00:04.803815Z", "deleted_at": null, "main_name": "Operation Earth Kitsune", "aliases": [], "source_name": "ETDA:Operation Earth Kitsune", "tools": [ "SLUB", "WhiskerSpy", "agfSpy", "dneSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434167, "ts_updated_at": 1775791917, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/74da8f2ca97c283e8e573fb59528d9b1b2968074.pdf", "text": "https://archive.orkl.eu/74da8f2ca97c283e8e573fb59528d9b1b2968074.txt", "img": "https://archive.orkl.eu/74da8f2ca97c283e8e573fb59528d9b1b2968074.jpg" } }