{
	"id": "c3f69534-56cd-4dcc-a15f-fb83cbcb26b5",
	"created_at": "2026-04-06T00:11:55.924102Z",
	"updated_at": "2026-04-10T13:12:29.167489Z",
	"deleted_at": null,
	"sha1_hash": "92344e2dba510864b6612d60345f1fa64fdd68bc",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49784,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:18:23 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CookieBag\r\n Tool: CookieBag\r\nNames\r\nCookieBag\r\nTROJAN.COOKIES\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\nThis family of malware is a backdoor capable of file upload and download as well as\r\nproviding remote interactive shell access to the compromised machine. Communication with\r\nthe Command \u0026 Control (C2) servers uses a combination of single-byte XOR and Base64\r\nencoded data in the Cookie and Set-Cookie HTTP header fields. Communication with the C2\r\nservers is over port 80. Some variants install a registry key as means of a persistence\r\nmechanism. The hardcoded strings cited include a string of a command in common with\r\nseveral other APT1 families.\r\nInformation \u003chttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool CookieBag\r\nChanged Name Country Observed\r\nAPT groups\r\n  Comment Crew, APT 1 2006-May 2018\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8df20cec-8073-495f-9c2d-cc6fb70028ec\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8df20cec-8073-495f-9c2d-cc6fb70028ec\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8df20cec-8073-495f-9c2d-cc6fb70028ec\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8df20cec-8073-495f-9c2d-cc6fb70028ec"
	],
	"report_names": [
		"listgroups.cgi?u=8df20cec-8073-495f-9c2d-cc6fb70028ec"
	],
	"threat_actors": [
		{
			"id": "dabb6779-f72e-40ca-90b7-1810ef08654d",
			"created_at": "2022-10-25T15:50:23.463113Z",
			"updated_at": "2026-04-10T02:00:05.369301Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"APT1",
				"Comment Crew",
				"Comment Group",
				"Comment Panda"
			],
			"source_name": "MITRE:APT1",
			"tools": [
				"Seasalt",
				"ipconfig",
				"Cachedump",
				"PsExec",
				"GLOOXMAIL",
				"Lslsass",
				"PoisonIvy",
				"WEBC2",
				"Mimikatz",
				"gsecdump",
				"Pass-The-Hash Toolkit",
				"Tasklist",
				"xCmd",
				"pwdump"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b",
			"created_at": "2022-10-25T16:07:23.480196Z",
			"updated_at": "2026-04-10T02:00:04.626125Z",
			"deleted_at": null,
			"main_name": "Comment Crew",
			"aliases": [
				"APT 1",
				"BrownFox",
				"Byzantine Candor",
				"Byzantine Hades",
				"Comment Crew",
				"Comment Panda",
				"G0006",
				"GIF89a",
				"Group 3",
				"Operation Oceansalt",
				"Operation Seasalt",
				"Operation Siesta",
				"Shanghai Group",
				"TG-8223"
			],
			"source_name": "ETDA:Comment Crew",
			"tools": [
				"Auriga",
				"Cachedump",
				"Chymine",
				"CookieBag",
				"Darkmoon",
				"GDOCUPLOAD",
				"GLOOXMAIL",
				"GREENCAT",
				"Gen:Trojan.Heur.PT",
				"GetMail",
				"Hackfase",
				"Hacksfase",
				"Helauto",
				"Kurton",
				"LETSGO",
				"LIGHTBOLT",
				"LIGHTDART",
				"LOLBAS",
				"LOLBins",
				"LONGRUN",
				"Living off the Land",
				"Lslsass",
				"MAPIget",
				"ManItsMe",
				"Mimikatz",
				"MiniASP",
				"Oceansalt",
				"Pass-The-Hash Toolkit",
				"Poison Ivy",
				"ProcDump",
				"Riodrv",
				"SPIVY",
				"Seasalt",
				"ShadyRAT",
				"StarsyPound",
				"TROJAN.COOKIES",
				"TROJAN.FOXY",
				"TabMsgSQL",
				"Tarsip",
				"Trojan.GTALK",
				"WebC2",
				"WebC2-AdSpace",
				"WebC2-Ausov",
				"WebC2-Bolid",
				"WebC2-Cson",
				"WebC2-DIV",
				"WebC2-GreenCat",
				"WebC2-Head",
				"WebC2-Kt3",
				"WebC2-Qbp",
				"WebC2-Rave",
				"WebC2-Table",
				"WebC2-UGX",
				"WebC2-Yahoo",
				"Wordpress Bruteforcer",
				"bangat",
				"gsecdump",
				"pivy",
				"poisonivy",
				"pwdump",
				"zxdosml"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434315,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/92344e2dba510864b6612d60345f1fa64fdd68bc.pdf",
		"text": "https://archive.orkl.eu/92344e2dba510864b6612d60345f1fa64fdd68bc.txt",
		"img": "https://archive.orkl.eu/92344e2dba510864b6612d60345f1fa64fdd68bc.jpg"
	}
}