{
	"id": "ed0523b3-3252-4111-abc6-15e1e8c99e51",
	"created_at": "2026-04-06T00:09:14.38616Z",
	"updated_at": "2026-04-10T13:12:29.961Z",
	"deleted_at": null,
	"sha1_hash": "79b5d8e694da96ce64218c9ace37c52542b9f40a",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61503,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:02:10 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool TinyZBot\n Tool: TinyZBot\nNames TinyZBot\nCategory Malware\nType Backdoor, Keylogger, Info stealer, Credential stealer, Downloader, Exfiltration\nDescription\n(Cylance) TinyZBot supports a wide array of features that continually evolved over\ntime. The following is a list of supported features:\n• SMTP exfiltration\n• Log keystrokes\n• Monitor clipboard activity\n• Enable a SOAP-based command and control channel\n• Self-updating\n• Download and execute arbitrary code\n• Capture screenshots\n• Extract saved passwords for Internet Explorer\n• Install as a service\n• Establish persistence by shortcut in startup folder\n• Provide unique malware campaign identifiers for tracking and control purposes\n• Deceptive execution methods\n• Dynamic backdoor configuration\n• FTP exfiltration\n• Security software detection\n• Ability to disable Avira antivirus\n• Ability to modify PE resources\n• Dynamic plugin structure\nInformation\nMITRE ATT\u0026CK Malpedia\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cf1c4408-2236-4656-bb9f-0773acbb26af\nPage 1 of 2\n\nLast change to this tool card: 22 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool TinyZBot\r\nChanged Name Country Observed\r\nAPT groups\r\n  Cutting Kitten, TG-2889 2012-Mar 2016\r\nOther groups\r\n  Cron 2015-Dec 2017\r\n2 groups listed (1 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cf1c4408-2236-4656-bb9f-0773acbb26af\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cf1c4408-2236-4656-bb9f-0773acbb26af\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cf1c4408-2236-4656-bb9f-0773acbb26af"
	],
	"report_names": [
		"listgroups.cgi?u=cf1c4408-2236-4656-bb9f-0773acbb26af"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "49f1ada0-181f-4e89-a449-e6bc13c8c6b1",
			"created_at": "2022-10-25T15:50:23.561511Z",
			"updated_at": "2026-04-10T02:00:05.382592Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"Threat Group 2889",
				"TG-2889"
			],
			"source_name": "MITRE:Cleaver",
			"tools": [
				"Net Crawler",
				"PsExec",
				"TinyZBot",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9663cdbf-646e-4579-881a-a8ebc3aabf63",
			"created_at": "2023-01-06T13:46:38.360862Z",
			"updated_at": "2026-04-10T02:00:02.942852Z",
			"deleted_at": null,
			"main_name": "Cutting Kitten",
			"aliases": [
				"ITsecTeam"
			],
			"source_name": "MISPGALAXY:Cutting Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "217c588a-5896-4335-b9ec-a516ae2f9a7e",
			"created_at": "2022-10-25T16:07:23.513775Z",
			"updated_at": "2026-04-10T02:00:04.635263Z",
			"deleted_at": null,
			"main_name": "Cutting Kitten",
			"aliases": [
				"Cutting Kitten",
				"G0003",
				"Operation Cleaver",
				"TG-2889"
			],
			"source_name": "ETDA:Cutting Kitten",
			"tools": [
				"CsExt",
				"DistTrack",
				"IvizTech",
				"Jasus",
				"KAgent",
				"Logger Module",
				"MANGOPUNCH",
				"MPK",
				"MPKBot",
				"Net Crawler",
				"NetC",
				"PVZ-In",
				"PVZ-Out",
				"Pupy",
				"PupyRAT",
				"PvzOut",
				"Shamoon",
				"SynFlooder",
				"SysKit",
				"TinyZBot",
				"WndTest",
				"pupy",
				"zhCat",
				"zhMimikatz"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434154,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79b5d8e694da96ce64218c9ace37c52542b9f40a.pdf",
		"text": "https://archive.orkl.eu/79b5d8e694da96ce64218c9ace37c52542b9f40a.txt",
		"img": "https://archive.orkl.eu/79b5d8e694da96ce64218c9ace37c52542b9f40a.jpg"
	}
}