{
	"id": "c3ac0357-decf-4eb1-bf04-036d0a12c446",
	"created_at": "2026-04-06T00:19:07.299494Z",
	"updated_at": "2026-04-10T03:34:27.589125Z",
	"deleted_at": null,
	"sha1_hash": "84c40c4e068341bd7d9e73b26401160d48db286a",
	"title": "WMI Ghost - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54780,
	"plain_text": "WMI Ghost - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:06:37 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WMI Ghost\r\n Tool: WMI Ghost\r\nNames\r\nWMI Ghost\r\nWimmie\r\nSyndicasec\r\nCategory Malware\r\nType Backdoor, Exfiltration\r\nDescription\r\n(Trend Micro) The malware used in the Luckycat campaign, detected by Trend Micro as\r\nTROJ_WIMMIE or VBS_WIMMIE, connects to a C\u0026C server via HTTP over port 80. It is\r\nnotable because it uses Windows Management Instrumentation (WMI) to establish persistence.\r\nVBS_WIMMIE registers a script that works as a backdoor to the WMI event handler and\r\ndeletes files associated with it or TROJ_WIMMIE. As a result, the backdoor cannot be\r\ndetected by antivirus software through simple file scanning.The compromised computer posts\r\ndata to a PHP script that runs on the C\u0026C server, usually count.php.\r\nThe initial communication results in the creation of a file on the C\u0026C server that contains\r\ninformation on the compromised computer. Although the file is empty, the file name contains\r\nthe hostname of the compromised computer, followed by its MAC address, along with the\r\ncampaign code the attackers use to identify which malware attack caused the compromise:\r\n~[HOSTNAME]_[MAC_ADDRESS]_[CAMPAIGN_CODE]\r\nThe attacker then creates a file with a name that ends in @.c, which contains a command.\r\n[HOSTNAME]_[MAC_ADDRESS]_[CAMPAIGN_CODE]@.c\r\nThe compromised computer then downloads the file and executes the specified command,\r\nwhich may include any of the following:\r\n• Get external IP address\r\n• Execute shell command\r\n• Download file\r\n• Upload file\r\nThe compromised computer then sends the output to the C\u0026C server and deletes the command\r\nfile.\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=79ca754c-8547-4c75-b7c9-836e9bf0034f\r\nPage 1 of 2\n\nInformation\nMalpedia Last change to this tool card: 14 May 2020\nDownload this tool card in JSON format\nAll groups using tool WMI Ghost\nChanged Name Country Observed\nAPT groups\n Lotus Blossom, Spring Dragon, Thrip 2012-Aug 2024\n Lucky Cat 2011\n2 groups listed (2 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=79ca754c-8547-4c75-b7c9-836e9bf0034f\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=79ca754c-8547-4c75-b7c9-836e9bf0034f\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=79ca754c-8547-4c75-b7c9-836e9bf0034f"
	],
	"report_names": [
		"listgroups.cgi?u=79ca754c-8547-4c75-b7c9-836e9bf0034f"
	],
	"threat_actors": [
		{
			"id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788",
			"created_at": "2022-10-25T15:50:23.722608Z",
			"updated_at": "2026-04-10T02:00:05.397432Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"Thrip"
			],
			"source_name": "MITRE:Thrip",
			"tools": [
				"PsExec",
				"Mimikatz",
				"Catchamas"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98",
			"created_at": "2022-10-25T15:50:23.538608Z",
			"updated_at": "2026-04-10T02:00:05.378092Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"Lotus Blossom",
				"DRAGONFISH",
				"Spring Dragon",
				"RADIUM",
				"Raspberry Typhoon",
				"Bilbug",
				"Thrip"
			],
			"source_name": "MITRE:Lotus Blossom",
			"tools": [
				"AdFind",
				"Impacket",
				"Elise",
				"Hannotog",
				"NBTscan",
				"Sagerunex",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb",
			"created_at": "2023-01-06T13:46:38.793461Z",
			"updated_at": "2026-04-10T02:00:03.102807Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"G0076",
				"ATK78"
			],
			"source_name": "MISPGALAXY:Thrip",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c21da9ce-944f-4a37-8ce3-71a0f738af80",
			"created_at": "2025-08-07T02:03:24.586257Z",
			"updated_at": "2026-04-10T02:00:03.804264Z",
			"deleted_at": null,
			"main_name": "BRONZE ELGIN",
			"aliases": [
				"CTG-8171 ",
				"Lotus Blossom ",
				"Lotus Panda ",
				"Lstudio",
				"Spring Dragon "
			],
			"source_name": "Secureworks:BRONZE ELGIN",
			"tools": [
				"Chrysalis",
				"Cobalt Strike",
				"Elise",
				"Emissary Trojan",
				"Lzari",
				"Meterpreter"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "87a20b72-ab72-402f-9013-c746c8458b0b",
			"created_at": "2023-01-06T13:46:38.293223Z",
			"updated_at": "2026-04-10T02:00:02.915184Z",
			"deleted_at": null,
			"main_name": "LOTUS PANDA",
			"aliases": [
				"Red Salamander",
				"Lotus BLossom",
				"Billbug",
				"Spring Dragon",
				"ST Group",
				"BRONZE ELGIN",
				"ATK1",
				"G0030",
				"Lotus Blossom",
				"DRAGONFISH"
			],
			"source_name": "MISPGALAXY:LOTUS PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9792e41f-4165-474b-99fa-e74ec332bd87",
			"created_at": "2023-01-06T13:46:38.986789Z",
			"updated_at": "2026-04-10T02:00:03.172308Z",
			"deleted_at": null,
			"main_name": "Lucky Cat",
			"aliases": [
				"TA413",
				"White Dev 9"
			],
			"source_name": "MISPGALAXY:Lucky Cat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eaa8168f-3fab-4831-aa60-5956f673e6b3",
			"created_at": "2022-10-25T16:07:23.805824Z",
			"updated_at": "2026-04-10T02:00:04.754761Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"ATK 1",
				"ATK 78",
				"Billbug",
				"Bronze Elgin",
				"CTG-8171",
				"Dragonfish",
				"G0030",
				"G0076",
				"Lotus Blossom",
				"Operation Lotus Blossom",
				"Red Salamander",
				"Spring Dragon",
				"Thrip"
			],
			"source_name": "ETDA:Lotus Blossom",
			"tools": [
				"BKDR_ESILE",
				"Catchamas",
				"EVILNEST",
				"Elise",
				"Group Policy Results Tool",
				"Hannotog",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"PsExec",
				"Rikamanu",
				"Sagerunex",
				"Spedear",
				"Syndicasec",
				"WMI Ghost",
				"Wimmie",
				"gpresult"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1a651080-cb2f-49bb-87cb-b9c6f6f99ce9",
			"created_at": "2022-10-25T16:07:23.809467Z",
			"updated_at": "2026-04-10T02:00:04.756067Z",
			"deleted_at": null,
			"main_name": "Lucky Cat",
			"aliases": [],
			"source_name": "ETDA:Lucky Cat",
			"tools": [
				"Comfoo",
				"Comfoo RAT",
				"Lucky Cat",
				"LuckyCat",
				"Sojax",
				"Syndicasec",
				"WMI Ghost",
				"Wimmie"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434747,
	"ts_updated_at": 1775792067,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84c40c4e068341bd7d9e73b26401160d48db286a.pdf",
		"text": "https://archive.orkl.eu/84c40c4e068341bd7d9e73b26401160d48db286a.txt",
		"img": "https://archive.orkl.eu/84c40c4e068341bd7d9e73b26401160d48db286a.jpg"
	}
}