{ "id": "c849ecea-8ac4-4ef5-97aa-e8eab6e7a3b0", "created_at": "2026-04-06T02:13:19.060808Z", "updated_at": "2026-04-10T03:37:01.1356Z", "deleted_at": null, "sha1_hash": "97ac777e8afd01c2c6f45cdd60f100aab146376e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49313, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 02:10:01 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Sword2033\n Tool: Sword2033\nNames Sword2033\nCategory Malware\nType Backdoor, Downloader, Exfiltration\nDescription\n(Palo Alto) Pivoting on the C2 domain, we identified one additional sample that also\ncommunicated with yrhsywu2009.zapto[.]org.\nSimilar to the PingPull variant above, this sample was designed to connect to port 8443 over\nHTTPS. However, analysis of the sample revealed that it’s a simple backdoor that we track as\nSword2033.\nInformation Malpedia Last change to this tool card: 22 June 2023\nDownload this tool card in JSON format\nAll groups using tool Sword2033\nChanged Name Country Observed\nAPT groups\n Gallium 2018-Jun 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e658d68f-cd4b-4132-8198-ff06d6c75da5\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e658d68f-cd4b-4132-8198-ff06d6c75da5\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e658d68f-cd4b-4132-8198-ff06d6c75da5" ], "report_names": [ "listgroups.cgi?u=e658d68f-cd4b-4132-8198-ff06d6c75da5" ], "threat_actors": [ { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775441599, "ts_updated_at": 1775792221, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/97ac777e8afd01c2c6f45cdd60f100aab146376e.pdf", "text": "https://archive.orkl.eu/97ac777e8afd01c2c6f45cdd60f100aab146376e.txt", "img": "https://archive.orkl.eu/97ac777e8afd01c2c6f45cdd60f100aab146376e.jpg" } }