{
	"id": "79ebc1a7-cd92-4600-bfc1-a6f1dafa03cb",
	"created_at": "2026-04-06T00:15:42.607177Z",
	"updated_at": "2026-04-10T03:33:36.918173Z",
	"deleted_at": null,
	"sha1_hash": "7cacecd008b7bdc0b70d17e003333fbb10a1c036",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49827,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:28:13 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BH_A006\n Tool: BH_A006\nNames BH_A006\nCategory Malware\nType Reconnaissance, Backdoor, Keylogger, Info stealer\nDescription\n(BleepingComputer) BH_A006 is a heavily modified version of the Gh0st RAT backdoor,\nfeaturing many layers of obfuscation to bypass security protections and thwart analysis.\nIts features include network service creation, UAC bypassing, and shellcode unpacking and\nlaunching in the memory.\nInformation\nLast change to this tool card: 19 July 2022\nDownload this tool card in JSON format\nAll groups using tool BH_A006\nChanged Name Country Observed\nAPT groups\n Space Pirates 2017-Nov 2024\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c1bd4d19-ed21-45b3-a7a3-bc81ded7effb\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c1bd4d19-ed21-45b3-a7a3-bc81ded7effb\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c1bd4d19-ed21-45b3-a7a3-bc81ded7effb"
	],
	"report_names": [
		"listgroups.cgi?u=c1bd4d19-ed21-45b3-a7a3-bc81ded7effb"
	],
	"threat_actors": [
		{
			"id": "536ca49a-2666-4005-8a50-e552fc7e16ef",
			"created_at": "2023-11-21T02:00:07.375813Z",
			"updated_at": "2026-04-10T02:00:03.471967Z",
			"deleted_at": null,
			"main_name": "Webworm",
			"aliases": [
				"Space Pirates"
			],
			"source_name": "MISPGALAXY:Webworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4",
			"created_at": "2022-10-25T16:07:24.219051Z",
			"updated_at": "2026-04-10T02:00:04.902017Z",
			"deleted_at": null,
			"main_name": "Space Pirates",
			"aliases": [
				"Erudite Mogwai",
				"Webworm"
			],
			"source_name": "ETDA:Space Pirates",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"BH_A006",
				"Chymine",
				"Darkmoon",
				"Deed RAT",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"MyKLoadClient",
				"Mydoor",
				"PCRat",
				"PCShare",
				"POISONPLUG.SHADOW",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"ShadowPad Winnti",
				"SnappyBee",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"XShellGhost",
				"Xamtrav",
				"Zupdax",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434542,
	"ts_updated_at": 1775792016,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7cacecd008b7bdc0b70d17e003333fbb10a1c036.pdf",
		"text": "https://archive.orkl.eu/7cacecd008b7bdc0b70d17e003333fbb10a1c036.txt",
		"img": "https://archive.orkl.eu/7cacecd008b7bdc0b70d17e003333fbb10a1c036.jpg"
	}
}