{
	"id": "7a14a463-e05b-4882-a27d-4e02060508ce",
	"created_at": "2026-04-06T15:52:53.454786Z",
	"updated_at": "2026-04-10T13:12:09.926397Z",
	"deleted_at": null,
	"sha1_hash": "9c50fd0886339e5ca6d8d96930971a2e57541615",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51527,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 15:35:36 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SparrowDoor\n Tool: SparrowDoor\nNames\nSparrowDoor\nFamousSparrow\nCategory Malware\nType Backdoor\nDescription\n(ESET) The connections could be either through a proxy or not, and they connect to the C\u0026C\nserver over port 443 (HTTPS). So, the communication should be encrypted using TLS. During\nthe first attempt to contact the C\u0026C server, SparrowDoor checks whether a connection can be\nestablished without using a proxy, and if it can’t, then the data is sent through a proxy. All\noutgoing data is encrypted using the XOR key hH7@83#mi and all incoming data is decrypted\nusing the XOR key h*^4hFa. The data has a structure that starts with a Command ID, followed\nby the length of the ensuing encrypted data, followed by the encrypted data.\nInformation Malpedia Last change to this tool card: 28 December 2022\nDownload this tool card in JSON format\nAll groups using tool SparrowDoor\nChanged Name Country Observed\nAPT groups\n Salt Typhoon, GhostEmperor 2020-Feb 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c8a05977-6a47-489d-a31e-9893f985d816\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c8a05977-6a47-489d-a31e-9893f985d816\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c8a05977-6a47-489d-a31e-9893f985d816\r\nPage 2 of 2\n\nAPT groups Salt Typhoon, GhostEmperor 2020-Feb 2025 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c8a05977-6a47-489d-a31e-9893f985d816"
	],
	"report_names": [
		"listgroups.cgi?u=c8a05977-6a47-489d-a31e-9893f985d816"
	],
	"threat_actors": [
		{
			"id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6",
			"created_at": "2022-10-25T16:07:23.605611Z",
			"updated_at": "2026-04-10T02:00:04.685162Z",
			"deleted_at": null,
			"main_name": "FamousSparrow",
			"aliases": [
				"Earth Estries"
			],
			"source_name": "ETDA:FamousSparrow",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f0eca237-f191-448f-87d1-5d6b3651cbff",
			"created_at": "2024-02-06T02:00:04.140087Z",
			"updated_at": "2026-04-10T02:00:03.577326Z",
			"deleted_at": null,
			"main_name": "GhostEmperor",
			"aliases": [
				"OPERATOR PANDA",
				"FamousSparrow",
				"UNC2286",
				"Salt Typhoon",
				"RedMike"
			],
			"source_name": "MISPGALAXY:GhostEmperor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff",
			"created_at": "2024-12-28T02:01:54.899899Z",
			"updated_at": "2026-04-10T02:00:04.880446Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Earth Estries",
				"FamousSparrow",
				"GhostEmperor",
				"Operator Panda",
				"RedMike",
				"Salt Typhoon",
				"UNC2286"
			],
			"source_name": "ETDA:Salt Typhoon",
			"tools": [
				"Agentemis",
				"Backdr-NQ",
				"Cobalt Strike",
				"CobaltStrike",
				"Crowdoor",
				"Cryptmerlin",
				"Deed RAT",
				"Demodex",
				"FamousSparrow",
				"FuxosDoor",
				"GHOSTSPIDER",
				"HemiGate",
				"MASOL RAT",
				"Mimikatz",
				"NBTscan",
				"NinjaCopy",
				"ProcDump",
				"PsExec",
				"PsList",
				"SnappyBee",
				"SparrowDoor",
				"TrillClient",
				"WinRAR",
				"Zingdoor",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff",
			"created_at": "2025-04-23T02:00:55.190165Z",
			"updated_at": "2026-04-10T02:00:05.361244Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Salt Typhoon"
			],
			"source_name": "MITRE:Salt Typhoon",
			"tools": [
				"JumbledPath"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6477a057-a76b-4b60-9135-b21ee075ca40",
			"created_at": "2025-11-01T02:04:53.060656Z",
			"updated_at": "2026-04-10T02:00:03.845594Z",
			"deleted_at": null,
			"main_name": "BRONZE TIGER",
			"aliases": [
				"Earth Estries ",
				"Famous Sparrow ",
				"Ghost Emperor ",
				"RedMike ",
				"Salt Typhoon "
			],
			"source_name": "Secureworks:BRONZE TIGER",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775490773,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c50fd0886339e5ca6d8d96930971a2e57541615.pdf",
		"text": "https://archive.orkl.eu/9c50fd0886339e5ca6d8d96930971a2e57541615.txt",
		"img": "https://archive.orkl.eu/9c50fd0886339e5ca6d8d96930971a2e57541615.jpg"
	}
}