{ "id": "cd5955e1-9fe2-4428-9a90-6b979099f669", "created_at": "2026-04-06T00:22:35.47172Z", "updated_at": "2026-04-10T13:12:55.856321Z", "deleted_at": null, "sha1_hash": "8fa85c941742400212dcb4ba119265f71be81554", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51971, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:48:06 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SoftEther VPN\n Tool: SoftEther VPN\nNames SoftEther VPN\nCategory Tools\nType Tunneling\nDescription\nSoftEther VPN ('SoftEther' means 'Software Ethernet') is one of the world's most powerful and\neasy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and\nSolaris.\nSoftEther VPN is open source. You can use SoftEther for any personal or commercial use for\nfree charge.\nInformation Last change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool SoftEther VPN\nChanged Name Country Observed\nAPT groups\n Flax Typhoon 2021-Nov 2023\n Gallium 2018-Jun 2022\n Hydrochasma [Unknown] 2022\n Operation Jacana 2023\n ToddyCat 2020-2024\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=29730658-6b16-42a8-8dff-5afe570d3c7c\nPage 1 of 2\n\n5 groups listed (5 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=29730658-6b16-42a8-8dff-5afe570d3c7c\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=29730658-6b16-42a8-8dff-5afe570d3c7c\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=29730658-6b16-42a8-8dff-5afe570d3c7c" ], "report_names": [ "listgroups.cgi?u=29730658-6b16-42a8-8dff-5afe570d3c7c" ], "threat_actors": [ { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "d67df52c-a901-4d55-b287-321818500789", "created_at": "2024-04-24T02:00:49.591518Z", "updated_at": "2026-04-10T02:00:05.314272Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "ToddyCat" ], "source_name": "MITRE:ToddyCat", "tools": [ "Cobalt Strike", "LoFiSe", "China Chopper", "netstat", "Pcexter", "Samurai" ], "source_id": "MITRE", "reports": null }, { "id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5", "created_at": "2022-10-25T16:07:24.329539Z", "updated_at": "2026-04-10T02:00:04.939013Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Operation Stayin’ Alive", "Storm-0247" ], "source_name": "ETDA:ToddyCat", "tools": [ "CHINACHOPPER", "China Chopper", "Cuthead", "FRP", "Fast Reverse Proxy", "Impacket", "Krong", "LoFiSe", "Ngrok", "PcExter", "PsExec", "SIMPOBOXSPY", "Samurai", "SinoChopper", "SoftEther VPN", "TomBerBil", "WAExp" ], "source_id": "ETDA", "reports": null }, { "id": "61c3f4b4-afd9-4187-91c3-ba6dfeeb6470", "created_at": "2023-10-14T02:03:14.355977Z", "updated_at": "2026-04-10T02:00:04.811984Z", "deleted_at": null, "main_name": "Operation Jacana", "aliases": [], "source_name": "ETDA:Operation Jacana", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "DinodasRAT", "Impacket", "Kaba", "Korplug", "PlugX", "RedDelta", "SoftEther VPN", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XDealer", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "2a7e1c40-e88e-49ca-97d1-ec65a306eb7a", "created_at": "2023-04-27T02:04:44.903564Z", "updated_at": "2026-04-10T02:00:04.724185Z", "deleted_at": null, "main_name": "Hydrochasma", "aliases": [], "source_name": "ETDA:Hydrochasma", "tools": [ "Agentemis", "BrowserGhost", "Cobalt Strike", "CobaltStrike", "GO Simple Tunnel", "GOST", "HackBrowserData", "LOLBAS", "LOLBins", "Living off the Land", "ProcDump", "SoftEther VPN", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434955, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8fa85c941742400212dcb4ba119265f71be81554.pdf", "text": "https://archive.orkl.eu/8fa85c941742400212dcb4ba119265f71be81554.txt", "img": "https://archive.orkl.eu/8fa85c941742400212dcb4ba119265f71be81554.jpg" } }