{
	"id": "cda6c703-2416-4e00-8542-c6c243031d3d",
	"created_at": "2026-04-06T00:09:09.8869Z",
	"updated_at": "2026-04-10T03:33:22.312668Z",
	"deleted_at": null,
	"sha1_hash": "75555d4a7c1b47551d0ff10ce49e179de1208221",
	"title": "Fire Chili - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50342,
	"plain_text": "Fire Chili - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:50:31 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Fire Chili\n Tool: Fire Chili\nNames Fire Chili\nCategory Malware\nType Rootkit\nDescription\n(BleepingComputer) In a recent Deep Panda campaign discovered by Fortinet, the hacking\ngroup is deploying the new 'Fire Chili' rootkit to evade detection on compromised systems.\nA rootkit is malware typically installed as a driver that hooks various Windows APIs to hide\nthe presence of other files and configuration settings in the operating system. For example, by\nhooking Windows programming functions, a rootkit can filter data to not display malicious file\nnames, processes, and Registry keys APIs to Windows programs requesting the data.\nIn the attacks, the rootkit is signed by valid digital certificates allowing it to bypass detection\nby security software and load into Windows without any warnings.\nInformation\nMalpedia Last change to this tool card: 27 December 2022\nDownload this tool card in JSON format\nAll groups using tool Fire Chili\nChanged Name Country Observed\nAPT groups\n APT 19, Deep Panda, C0d0so0 2013-Mar 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b2a4a72c-91cf-4a8e-be0e-ae24de1e080c\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b2a4a72c-91cf-4a8e-be0e-ae24de1e080c\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b2a4a72c-91cf-4a8e-be0e-ae24de1e080c\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b2a4a72c-91cf-4a8e-be0e-ae24de1e080c"
	],
	"report_names": [
		"listgroups.cgi?u=b2a4a72c-91cf-4a8e-be0e-ae24de1e080c"
	],
	"threat_actors": [
		{
			"id": "1f3cf3d1-4764-4158-a216-dd6352e671bb",
			"created_at": "2022-10-25T15:50:23.837615Z",
			"updated_at": "2026-04-10T02:00:05.322197Z",
			"deleted_at": null,
			"main_name": "APT19",
			"aliases": [
				"APT19",
				"Codoso",
				"C0d0so0",
				"Codoso Team",
				"Sunshop Group"
			],
			"source_name": "MITRE:APT19",
			"tools": [
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "64ca1755-3883-4173-8e0a-6e5cf92faafd",
			"created_at": "2022-10-25T15:50:23.636456Z",
			"updated_at": "2026-04-10T02:00:05.389234Z",
			"deleted_at": null,
			"main_name": "Deep Panda",
			"aliases": [
				"Deep Panda",
				"Shell Crew",
				"KungFu Kittens",
				"PinkPanther",
				"Black Vine"
			],
			"source_name": "MITRE:Deep Panda",
			"tools": [
				"Mivast",
				"StreamEx",
				"Sakula",
				"Tasklist",
				"Derusbi"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f",
			"created_at": "2022-10-25T16:07:23.335869Z",
			"updated_at": "2026-04-10T02:00:04.547702Z",
			"deleted_at": null,
			"main_name": "APT 19",
			"aliases": [
				"APT 19",
				"Bronze Firestone",
				"C0d0so0",
				"Checkered Typhoon",
				"Codoso",
				"Deep Panda",
				"G0009",
				"G0073",
				"Operation Kingslayer",
				"Red Pegasus",
				"Sunshop Group",
				"TG-3551"
			],
			"source_name": "ETDA:APT 19",
			"tools": [
				"Agentemis",
				"C0d0so0",
				"Cobalt Strike",
				"CobaltStrike",
				"Derusbi",
				"EmPyre",
				"EmpireProject",
				"Fire Chili",
				"PowerShell Empire",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "46a151bd-e4c2-46f9-aee9-ee6942b01098",
			"created_at": "2023-01-06T13:46:38.288168Z",
			"updated_at": "2026-04-10T02:00:02.911919Z",
			"deleted_at": null,
			"main_name": "APT19",
			"aliases": [
				"DEEP PANDA",
				"Codoso",
				"KungFu Kittens",
				"Group 13",
				"G0009",
				"G0073",
				"Checkered Typhoon",
				"Black Vine",
				"TEMP.Avengers",
				"PinkPanther",
				"Shell Crew",
				"BRONZE FIRESTONE",
				"Sunshop Group"
			],
			"source_name": "MISPGALAXY:APT19",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d",
			"created_at": "2025-08-07T02:03:24.595597Z",
			"updated_at": "2026-04-10T02:00:03.740023Z",
			"deleted_at": null,
			"main_name": "BRONZE FIRESTONE",
			"aliases": [
				"APT19 ",
				"C0d0s0",
				"Checkered Typhoon ",
				"Chlorine ",
				"Deep Panda ",
				"Pupa ",
				"TG-3551 "
			],
			"source_name": "Secureworks:BRONZE FIRESTONE",
			"tools": [
				"9002",
				"Alice's Rabbit Hole",
				"Cobalt Strike",
				"Derusbi",
				"PlugX",
				"PoisonIvy",
				"PowerShell Empire",
				"Trojan Briba",
				"Zuguo"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434149,
	"ts_updated_at": 1775792002,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/75555d4a7c1b47551d0ff10ce49e179de1208221.pdf",
		"text": "https://archive.orkl.eu/75555d4a7c1b47551d0ff10ce49e179de1208221.txt",
		"img": "https://archive.orkl.eu/75555d4a7c1b47551d0ff10ce49e179de1208221.jpg"
	}
}