{ "id": "4cd63fe1-73a3-46b3-adcc-55b632aad0e1", "created_at": "2026-04-06T03:36:21.853504Z", "updated_at": "2026-04-10T03:29:24.364989Z", "deleted_at": null, "sha1_hash": "8587ade915384336ecba48394bdd69affe755eec", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48535, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 02:10:46 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool XServer\r\n Tool: XServer\r\nNames\r\nXServer\r\nFilesnfer\r\nCategory Malware\r\nType Tunneling\r\nDescription\r\n(Fox-IT) Several tools appear to be used exclusively by this actor. One of those tools, named\r\nXServer according to the source code, provides proxy/tunneling functionality which is used for\r\nlateral movement.\r\nInformation\r\n\u003chttps://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.xserver\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool XServer\r\nChanged Name Country Observed\r\nAPT groups\r\n  APT 20, Violin Panda 2014-2017  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a4a42490-f65f-4de4-a356-e4a48c03abe2\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a4a42490-f65f-4de4-a356-e4a48c03abe2\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a4a42490-f65f-4de4-a356-e4a48c03abe2" ], "report_names": [ "listgroups.cgi?u=a4a42490-f65f-4de4-a356-e4a48c03abe2" ], "threat_actors": [ { "id": "5d512e7c-f6a7-47b5-b440-4968c299deaf", "created_at": "2023-01-06T13:46:38.344772Z", "updated_at": "2026-04-10T02:00:02.9359Z", "deleted_at": null, "main_name": "APT20", "aliases": [ "VIOLIN PANDA", "TH3Bug", "Crawling Taurus" ], "source_name": "MISPGALAXY:APT20", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b7cb83fe-4412-40b3-8757-ace5107599b6", "created_at": "2023-01-06T13:46:39.08347Z", "updated_at": "2026-04-10T02:00:03.207564Z", "deleted_at": null, "main_name": "Operation Wocao", "aliases": [], "source_name": "MISPGALAXY:Operation Wocao", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dd583696-3de6-4c23-bfb6-e675a38a7000", "created_at": "2022-10-25T16:07:23.338398Z", "updated_at": "2026-04-10T02:00:04.548798Z", "deleted_at": null, "main_name": "APT 20", "aliases": [ "APT 20", "APT 8", "Crawling Taurus", "Operation Wocao", "TH3Bug", "Violin Panda" ], "source_name": "ETDA:APT 20", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Filesnfer", "Gen:Trojan.Heur.PT", "Kaba", "KeeThief", "Kerberoast", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PlugX", "Poison Ivy", "ProcDump", "PsExec", "RedDelta", "SMBExec", "SPIVY", "SharpHound", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WinRAR", "XServer", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "4b48d9e2-ef19-44fb-938b-30a9078d9e49", "created_at": "2022-10-25T15:50:23.314139Z", "updated_at": "2026-04-10T02:00:05.317785Z", "deleted_at": null, "main_name": "Operation Wocao", "aliases": [ "Operation Wocao" ], "source_name": "MITRE:Operation Wocao", "tools": [ "netstat", "dsquery", "Mimikatz", "PowerSploit", "Impacket" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446581, "ts_updated_at": 1775791764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8587ade915384336ecba48394bdd69affe755eec.pdf", "text": "https://archive.orkl.eu/8587ade915384336ecba48394bdd69affe755eec.txt", "img": "https://archive.orkl.eu/8587ade915384336ecba48394bdd69affe755eec.jpg" } }