{
	"id": "e9062ec3-88cf-4612-9c28-b7ec69e9db6c",
	"created_at": "2026-04-06T00:20:52.085549Z",
	"updated_at": "2026-04-10T03:29:54.675697Z",
	"deleted_at": null,
	"sha1_hash": "751ae35746240570fcf61cb7c8e3ef7021ec4fbb",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48063,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:18:47 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool RIFLESPINE\r\n Tool: RIFLESPINE\r\nNames RIFLESPINE\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Mandiant) RIFLESPINE is a cross-platform backdoor that leverages Google Drive to transfer\r\nfiles and execute commands. It adopts the CryptoPP library to implement the AES algorithm to\r\nencrypt and decrypt the data transmitted between an affected machine and the threat actor.\r\nInformation\r\n\u003chttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\u003e\r\nLast change to this tool card: 26 August 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool RIFLESPINE\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC3886 2021-Early 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d9c072a3-0aa5-426c-b55c-1dc582c5596d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d9c072a3-0aa5-426c-b55c-1dc582c5596d\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d9c072a3-0aa5-426c-b55c-1dc582c5596d"
	],
	"report_names": [
		"listgroups.cgi?u=d9c072a3-0aa5-426c-b55c-1dc582c5596d"
	],
	"threat_actors": [
		{
			"id": "9df8987a-27fc-45c5-83b0-20dceb8288af",
			"created_at": "2025-10-29T02:00:51.836932Z",
			"updated_at": "2026-04-10T02:00:05.253487Z",
			"deleted_at": null,
			"main_name": "UNC3886",
			"aliases": [
				"UNC3886"
			],
			"source_name": "MITRE:UNC3886",
			"tools": [
				"MOPSLED",
				"VIRTUALPIE",
				"CASTLETAP",
				"THINCRUST",
				"VIRTUALPITA",
				"RIFLESPINE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d",
			"created_at": "2024-08-28T02:02:09.711951Z",
			"updated_at": "2026-04-10T02:00:04.957678Z",
			"deleted_at": null,
			"main_name": "UNC3886",
			"aliases": [
				"Fire Ant"
			],
			"source_name": "ETDA:UNC3886",
			"tools": [
				"BOLDMOVE",
				"CASTLETAP",
				"LOOKOVER",
				"MOPSLED",
				"RIFLESPINE",
				"TABLEFLIP",
				"THINCRUST",
				"Tiny SHell",
				"VIRTUALGATE",
				"VIRTUALPIE",
				"VIRTUALPITA",
				"VIRTUALSHINE",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37",
			"created_at": "2023-11-04T02:00:07.663664Z",
			"updated_at": "2026-04-10T02:00:03.385989Z",
			"deleted_at": null,
			"main_name": "UNC3886",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC3886",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434852,
	"ts_updated_at": 1775791794,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/751ae35746240570fcf61cb7c8e3ef7021ec4fbb.pdf",
		"text": "https://archive.orkl.eu/751ae35746240570fcf61cb7c8e3ef7021ec4fbb.txt",
		"img": "https://archive.orkl.eu/751ae35746240570fcf61cb7c8e3ef7021ec4fbb.jpg"
	}
}