{ "id": "7ea67bbc-950c-40d4-b051-796469bde2b9", "created_at": "2026-04-06T00:22:11.736656Z", "updated_at": "2026-04-10T03:34:41.411423Z", "deleted_at": null, "sha1_hash": "97cd8cfaa9e3cd70ae03fa3052b4aa1fa46fba52", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44701, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:17:54 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool RDPWrap\r\n Tool: RDPWrap\r\nNames RDPWrap\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(AnyViewer) Many users of RDP may have heard of RDP Wrapper before. RDP Wrapper\r\nworks as a layer between Service Control Manager and Terminal Services. Or say, it’s like a\r\npipe, which connects Service Control Manager and Terminal Services. It enables Remote\r\nDesktop Host support and concurrent RDP sessions. Instead of modifying termsrv.dll file, the\r\noriginal termsrv.dll file remains untouched.\r\nInformation \u003chttps://www.anyviewer.com/how-to/is-rdp-wrapper-safe-2578.html\u003e\r\nLast change to this tool card: 15 February 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool RDPWrap\r\nChanged Name Country Observed\r\nAPT groups\r\n  OPERA1ER [Unknown] 2016-Jul 2023\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9cf7f09d-2498-45dc-8690-1b58ca1d709a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9cf7f09d-2498-45dc-8690-1b58ca1d709a\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9cf7f09d-2498-45dc-8690-1b58ca1d709a" ], "report_names": [ "listgroups.cgi?u=9cf7f09d-2498-45dc-8690-1b58ca1d709a" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "11c69e3d-a740-4a70-abd3-158ac0375452", "created_at": "2023-01-06T13:46:39.29608Z", "updated_at": "2026-04-10T02:00:03.27813Z", "deleted_at": null, "main_name": "Common Raven", "aliases": [ "NXSMS", "DESKTOP-GROUP", "OPERA1ER" ], "source_name": "MISPGALAXY:Common Raven", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a1071a25-d7c1-41be-a97f-2ec1b167ceb0", "created_at": "2023-02-18T02:04:24.365926Z", "updated_at": "2026-04-10T02:00:04.792271Z", "deleted_at": null, "main_name": "OPERA1ER", "aliases": [ "Common Raven", "DESKTOP-GROUP", "NXSMS", "Operation Nervone" ], "source_name": "ETDA:OPERA1ER", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Agentemis", "BitRAT", "BlackNET RAT", "Cobalt Strike", "CobaltStrike", "Kasidet", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neutrino Bot", "Neutrino Exploit Kit", "Ngrok", "Origin Logger", "PsExec", "RDPWrap", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revealer Keylogger", "Socmer", "VenomRAT", "ZPAQ", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434931, "ts_updated_at": 1775792081, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/97cd8cfaa9e3cd70ae03fa3052b4aa1fa46fba52.pdf", "text": "https://archive.orkl.eu/97cd8cfaa9e3cd70ae03fa3052b4aa1fa46fba52.txt", "img": "https://archive.orkl.eu/97cd8cfaa9e3cd70ae03fa3052b4aa1fa46fba52.jpg" } }