{
	"id": "246ad2f5-a4ab-4044-a947-b08f51dfbfa3",
	"created_at": "2026-04-06T00:22:29.445916Z",
	"updated_at": "2026-04-10T13:12:49.31611Z",
	"deleted_at": null,
	"sha1_hash": "78c3de2014c6b8471b489ba3b470ef50d2b028f2",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46160,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:06:34 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool KeeThief\r\n Tool: KeeThief\r\nNames KeeThief\r\nCategory Tools\r\nType Credential stealer\r\nDescription\r\nMethods for attacking KeePass 2.X databases, including extracting of encryption key material\r\nfrom memory.\r\nInformation \u003chttps://github.com/HarmJ0y/KeeThief\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool KeeThief\r\nChanged Name Country Observed\r\nAPT groups\r\n  APT 20, Violin Panda 2014-2017  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d4468505-8920-40f1-8fc8-d529e25ac291\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d4468505-8920-40f1-8fc8-d529e25ac291\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d4468505-8920-40f1-8fc8-d529e25ac291"
	],
	"report_names": [
		"listgroups.cgi?u=d4468505-8920-40f1-8fc8-d529e25ac291"
	],
	"threat_actors": [
		{
			"id": "5d512e7c-f6a7-47b5-b440-4968c299deaf",
			"created_at": "2023-01-06T13:46:38.344772Z",
			"updated_at": "2026-04-10T02:00:02.9359Z",
			"deleted_at": null,
			"main_name": "APT20",
			"aliases": [
				"VIOLIN PANDA",
				"TH3Bug",
				"Crawling Taurus"
			],
			"source_name": "MISPGALAXY:APT20",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "dd583696-3de6-4c23-bfb6-e675a38a7000",
			"created_at": "2022-10-25T16:07:23.338398Z",
			"updated_at": "2026-04-10T02:00:04.548798Z",
			"deleted_at": null,
			"main_name": "APT 20",
			"aliases": [
				"APT 20",
				"APT 8",
				"Crawling Taurus",
				"Operation Wocao",
				"TH3Bug",
				"Violin Panda"
			],
			"source_name": "ETDA:APT 20",
			"tools": [
				"Agent.dhwf",
				"Chymine",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Filesnfer",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"KeeThief",
				"Kerberoast",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"PlugX",
				"Poison Ivy",
				"ProcDump",
				"PsExec",
				"RedDelta",
				"SMBExec",
				"SPIVY",
				"SharpHound",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"WinRAR",
				"XServer",
				"Xamtrav",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434949,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/78c3de2014c6b8471b489ba3b470ef50d2b028f2.pdf",
		"text": "https://archive.orkl.eu/78c3de2014c6b8471b489ba3b470ef50d2b028f2.txt",
		"img": "https://archive.orkl.eu/78c3de2014c6b8471b489ba3b470ef50d2b028f2.jpg"
	}
}