{
	"id": "81b11e21-5033-464b-9f20-9fa19ace143a",
	"created_at": "2026-04-06T00:10:39.617838Z",
	"updated_at": "2026-04-10T03:32:20.815623Z",
	"deleted_at": null,
	"sha1_hash": "7f67597443fe4bba583eda46d4f29194f355c72e",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50497,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:35:49 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MultiPipeLoader\r\n Tool: MultiPipeLoader\r\nNames MultiPipeLoader\r\nCategory Malware\r\nType Loader\r\nDescription\r\n(Trend Micro) MultipipeLoader uses multiple threads to read/write the encrypted payload like\r\nBigpipeLoader, but it implements a similar decryption routine as CroxLoader.\r\nInformation\r\n\u003chttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\u003e\r\nLast change to this tool card: 19 November 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool MultiPipeLoader\r\nChanged Name Country Observed\r\nAPT groups\r\n      ↳ Subgroup: Earth Longzhi 2020-Apr 2023  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=48f98833-b2e7-4771-b3f1-2cb49776a23b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=48f98833-b2e7-4771-b3f1-2cb49776a23b\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=48f98833-b2e7-4771-b3f1-2cb49776a23b"
	],
	"report_names": [
		"listgroups.cgi?u=48f98833-b2e7-4771-b3f1-2cb49776a23b"
	],
	"threat_actors": [
		{
			"id": "5b317799-01c0-48fa-aee2-31a738116771",
			"created_at": "2022-11-20T02:02:37.746719Z",
			"updated_at": "2026-04-10T02:00:04.561617Z",
			"deleted_at": null,
			"main_name": "Earth Longzhi",
			"aliases": [
				"Earth Longzhi"
			],
			"source_name": "ETDA:Earth Longzhi",
			"tools": [
				"Agentemis",
				"BigpipeLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"CroxLoader",
				"MultiPipeLoader",
				"OutLoader",
				"Symatic Loader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d196cb29-a861-4838-b157-a31ac92c6fb1",
			"created_at": "2023-11-04T02:00:07.66699Z",
			"updated_at": "2026-04-10T02:00:03.386945Z",
			"deleted_at": null,
			"main_name": "Earth Longzhi",
			"aliases": [
				"SnakeCharmer"
			],
			"source_name": "MISPGALAXY:Earth Longzhi",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e698860d-57e8-4780-b7c3-41e5a8314ec0",
			"created_at": "2022-10-25T15:50:23.287929Z",
			"updated_at": "2026-04-10T02:00:05.329769Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"APT41",
				"Wicked Panda",
				"Brass Typhoon",
				"BARIUM"
			],
			"source_name": "MITRE:APT41",
			"tools": [
				"ASPXSpy",
				"BITSAdmin",
				"PlugX",
				"Impacket",
				"gh0st RAT",
				"netstat",
				"PowerSploit",
				"ZxShell",
				"KEYPLUG",
				"LightSpy",
				"ipconfig",
				"sqlmap",
				"China Chopper",
				"ShadowPad",
				"MESSAGETAP",
				"Mimikatz",
				"certutil",
				"njRAT",
				"Cobalt Strike",
				"pwdump",
				"BLACKCOFFEE",
				"MOPSLED",
				"ROCKBOOT",
				"dsquery",
				"Winnti for Linux",
				"DUSTTRAP",
				"Derusbi",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434239,
	"ts_updated_at": 1775791940,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f67597443fe4bba583eda46d4f29194f355c72e.pdf",
		"text": "https://archive.orkl.eu/7f67597443fe4bba583eda46d4f29194f355c72e.txt",
		"img": "https://archive.orkl.eu/7f67597443fe4bba583eda46d4f29194f355c72e.jpg"
	}
}