{
	"id": "541b7928-ad3b-41d4-a700-fff57e0cd58f",
	"created_at": "2026-04-06T00:12:25.894875Z",
	"updated_at": "2026-04-10T13:12:21.512175Z",
	"deleted_at": null,
	"sha1_hash": "86df0f3c7a4f8b162090f5a20e8880d301e321f8",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45269,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:06:00 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool HTTPSnoop\n Tool: HTTPSnoop\nNames\nHTTPSnoop\nTOFULOAD\nCategory Malware\nType Backdoor\nDescription\n(Talos) HTTPSnoop is a simple, yet effective, new backdoor that uses low-level Windows\nAPIs to interact directly with the HTTP device on the system. It leverages this capability to\nbind to specific HTTP(S) URL patterns to the endpoint to listen for incoming requests. Any\nincoming requests for the specified URLs are picked up by the implant, which then proceeds\nto decode the data accompanying the HTTP request. The decoded HTTP data is, in fact,\nshellcode that is then executed on the infected endpoint.\nHTTPSnoop consists of the same code across all observed variants, with the key difference in\nsamples being the URL patterns that it listens for.\nInformation Malpedia Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool HTTPSnoop\nChanged Name Country Observed\nAPT groups\n ShroudedSnooper [Unknown] 2023\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=734dd7c9-ea82-4ee7-9850-65bbde4b198f\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=734dd7c9-ea82-4ee7-9850-65bbde4b198f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=734dd7c9-ea82-4ee7-9850-65bbde4b198f\r\nPage 2 of 2\n\nAPT groups  ShroudedSnooper [Unknown] 2023\n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=734dd7c9-ea82-4ee7-9850-65bbde4b198f"
	],
	"report_names": [
		"listgroups.cgi?u=734dd7c9-ea82-4ee7-9850-65bbde4b198f"
	],
	"threat_actors": [
		{
			"id": "9d63303c-817c-40d7-b703-c6d62f0dbddc",
			"created_at": "2023-10-14T02:03:14.471787Z",
			"updated_at": "2026-04-10T02:00:04.891855Z",
			"deleted_at": null,
			"main_name": "ShroudedSnooper",
			"aliases": [],
			"source_name": "ETDA:ShroudedSnooper",
			"tools": [
				"HTTPSnoop",
				"PipeSnoop",
				"TOFULOAD",
				"TOFUPIPE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1ddad928-ad5f-4885-9abd-e8965dd793df",
			"created_at": "2023-11-08T02:00:07.129402Z",
			"updated_at": "2026-04-10T02:00:03.421623Z",
			"deleted_at": null,
			"main_name": "ShroudedSnooper",
			"aliases": [],
			"source_name": "MISPGALAXY:ShroudedSnooper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434345,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86df0f3c7a4f8b162090f5a20e8880d301e321f8.pdf",
		"text": "https://archive.orkl.eu/86df0f3c7a4f8b162090f5a20e8880d301e321f8.txt",
		"img": "https://archive.orkl.eu/86df0f3c7a4f8b162090f5a20e8880d301e321f8.jpg"
	}
}