{
	"id": "5fd545ec-6533-4aac-bcaa-e0253a04d4c4",
	"created_at": "2026-04-06T00:21:35.601292Z",
	"updated_at": "2026-04-10T13:11:38.327226Z",
	"deleted_at": null,
	"sha1_hash": "8baa30702fbf3450eaa01174015105806c6ee42c",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48206,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:10:33 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WHEATSCAN\r\n Tool: WHEATSCAN\r\nNames WHEATSCAN\r\nCategory Malware\r\nType Vulnerability scanner\r\nDescription\r\n(FireEye) After gaining initial access, the operators conduct credential harvesting and\r\nextensive internal network reconnaissance. This includes running native Windows commands\r\non compromised servers, executing AdFind on the Active Directory, and scanning the internal\r\nnetwork with numerous publicly available tools and a non-public scanner we named\r\nWHEATSCAN. The operators made a consistent effort to delete these tools and remove any\r\nresidual forensic artifacts from compromised systems.\r\nInformation\r\n\u003chttps://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html\u003e\r\nLast change to this tool card: 01 November 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool WHEATSCAN\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC215 2019  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84f91da3-6425-433b-bdbf-ff37b64b8335\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84f91da3-6425-433b-bdbf-ff37b64b8335\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84f91da3-6425-433b-bdbf-ff37b64b8335"
	],
	"report_names": [
		"listgroups.cgi?u=84f91da3-6425-433b-bdbf-ff37b64b8335"
	],
	"threat_actors": [
		{
			"id": "274f04ff-fae8-4e90-bcf5-3e391a860cd5",
			"created_at": "2023-12-08T02:00:05.75114Z",
			"updated_at": "2026-04-10T02:00:03.493837Z",
			"deleted_at": null,
			"main_name": "UNC215",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC215",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ea34919f-9093-4e34-b9de-a37ab9b4d5c4",
			"created_at": "2022-10-25T16:07:24.35727Z",
			"updated_at": "2026-04-10T02:00:04.952883Z",
			"deleted_at": null,
			"main_name": "UNC215",
			"aliases": [],
			"source_name": "ETDA:UNC215",
			"tools": [
				"AdFind",
				"CHINACHOPPER",
				"China Chopper",
				"FOCUSFJORD",
				"HighShell",
				"HyperBro",
				"HyperSSL",
				"HyperShell",
				"Mimikatz",
				"NBTscan",
				"ProcDump",
				"PsExec",
				"SEASHARPEE",
				"SinoChopper",
				"SysUpdate",
				"TwoFace",
				"WHEATSCAN",
				"WinRAR",
				"certutil",
				"certutil.exe",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434895,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8baa30702fbf3450eaa01174015105806c6ee42c.pdf",
		"text": "https://archive.orkl.eu/8baa30702fbf3450eaa01174015105806c6ee42c.txt",
		"img": "https://archive.orkl.eu/8baa30702fbf3450eaa01174015105806c6ee42c.jpg"
	}
}