{
	"id": "13e6918c-4577-4ae0-8ef4-d3809a671ad8",
	"created_at": "2026-04-06T00:17:16.989814Z",
	"updated_at": "2026-04-10T03:33:16.309631Z",
	"deleted_at": null,
	"sha1_hash": "8b8a629d0c33f6df163fdfc9106c6401d31fd35a",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46940,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:40:16 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Cuthead\n Tool: Cuthead\nNames Cuthead\nCategory Malware\nType Info stealer\nDescription\n(Kaspersky) Recently, ToddyCat started using a new tool we named cuthead to search for\ndocuments. The name originated from the “file description” field of the sample we found. It is\na .NET compiled executable designed to search for files and store those it finds inside an\narchive. The tool can search for specified file extensions or words in the file name.\nInformation Last change to this tool card: 23 April 2024\nDownload this tool card in JSON format\nAll groups using tool Cuthead\nChanged Name Country Observed\nAPT groups\n ToddyCat 2020-2024\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5f231d6e-d68b-4e07-94a2-3427697d13df\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5f231d6e-d68b-4e07-94a2-3427697d13df\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5f231d6e-d68b-4e07-94a2-3427697d13df"
	],
	"report_names": [
		"listgroups.cgi?u=5f231d6e-d68b-4e07-94a2-3427697d13df"
	],
	"threat_actors": [
		{
			"id": "d67df52c-a901-4d55-b287-321818500789",
			"created_at": "2024-04-24T02:00:49.591518Z",
			"updated_at": "2026-04-10T02:00:05.314272Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"ToddyCat"
			],
			"source_name": "MITRE:ToddyCat",
			"tools": [
				"Cobalt Strike",
				"LoFiSe",
				"China Chopper",
				"netstat",
				"Pcexter",
				"Samurai"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5",
			"created_at": "2022-10-25T16:07:24.329539Z",
			"updated_at": "2026-04-10T02:00:04.939013Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"Operation Stayin’ Alive",
				"Storm-0247"
			],
			"source_name": "ETDA:ToddyCat",
			"tools": [
				"CHINACHOPPER",
				"China Chopper",
				"Cuthead",
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"Krong",
				"LoFiSe",
				"Ngrok",
				"PcExter",
				"PsExec",
				"SIMPOBOXSPY",
				"Samurai",
				"SinoChopper",
				"SoftEther VPN",
				"TomBerBil",
				"WAExp"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "60d96824-1767-4b97-a6c7-7e9527458007",
			"created_at": "2023-01-06T13:46:39.378701Z",
			"updated_at": "2026-04-10T02:00:03.307846Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"Websiic"
			],
			"source_name": "MISPGALAXY:ToddyCat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434636,
	"ts_updated_at": 1775791996,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b8a629d0c33f6df163fdfc9106c6401d31fd35a.pdf",
		"text": "https://archive.orkl.eu/8b8a629d0c33f6df163fdfc9106c6401d31fd35a.txt",
		"img": "https://archive.orkl.eu/8b8a629d0c33f6df163fdfc9106c6401d31fd35a.jpg"
	}
}