{ "id": "5ced000c-fe98-44f2-a7f8-f2a46a1ecbf0", "created_at": "2026-04-06T00:11:01.41135Z", "updated_at": "2026-04-10T13:12:12.906861Z", "deleted_at": null, "sha1_hash": "778828c4ad4fdf239426b1bea47541ca48b8356a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48360, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:09:31 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ByPassGodzilla\n Tool: ByPassGodzilla\nNames ByPassGodzilla\nCategory Malware\nType Backdoor\nDescription\n(Kaspersky) A Chinese web shell encryptor used to obfuscate other deployed web shells to\nbypass detections. We were able to source different implementations of encrypted web shells\nin .NET and ASPX scripts from the same server. According to our telemetry, the newly\ndiscovered web shell was also associated with a campaign leveraging CVE-2023-26360 early\nthis year targeting vulnerable servers in the Middle East.\nInformation Last change to this tool card: 23 October 2024\nDownload this tool card in JSON format\nAll groups using tool ByPassGodzilla\nChanged Name Country Observed\nAPT groups\n Tropic Trooper, Pirate Panda, APT 23, KeyBoy 2011-Jun 2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=77cc7833-6d0f-4a43-b89c-c25012dd89fa\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=77cc7833-6d0f-4a43-b89c-c25012dd89fa\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=77cc7833-6d0f-4a43-b89c-c25012dd89fa" ], "report_names": [ "listgroups.cgi?u=77cc7833-6d0f-4a43-b89c-c25012dd89fa" ], "threat_actors": [ { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434261, "ts_updated_at": 1775826732, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/778828c4ad4fdf239426b1bea47541ca48b8356a.pdf", "text": "https://archive.orkl.eu/778828c4ad4fdf239426b1bea47541ca48b8356a.txt", "img": "https://archive.orkl.eu/778828c4ad4fdf239426b1bea47541ca48b8356a.jpg" } }