{
	"id": "dd720877-00a7-4568-ba22-e2a0dfb5304a",
	"created_at": "2026-04-06T00:15:44.682253Z",
	"updated_at": "2026-04-10T03:34:25.878315Z",
	"deleted_at": null,
	"sha1_hash": "9f9cebac8a80c56397589f33889341609ac54e89",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52500,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:18:51 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PhpSpy\r\n Tool: PhpSpy\r\nNames PhpSpy\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Symantec) The web shell is a modification of the PhpSpy backdoor and references the author\r\nMagicCoder while linking to the (deleted) domain magiccoder.ir. Researching the hacker\r\nhandle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as\r\ndefacements by the Iranian hacker group Sun Army.\r\nInformation\r\n\u003chttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool PhpSpy\r\nChanged Name Country Observed\r\nAPT groups\r\n  Leafminer, Raspite 2017  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1ed9cbd-0da6-4a0a-a728-60df805056fc\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1ed9cbd-0da6-4a0a-a728-60df805056fc\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1ed9cbd-0da6-4a0a-a728-60df805056fc"
	],
	"report_names": [
		"listgroups.cgi?u=f1ed9cbd-0da6-4a0a-a728-60df805056fc"
	],
	"threat_actors": [
		{
			"id": "81d49904-579d-45b3-ace2-1fdf0a713bc4",
			"created_at": "2022-10-25T15:50:23.331457Z",
			"updated_at": "2026-04-10T02:00:05.291098Z",
			"deleted_at": null,
			"main_name": "Leafminer",
			"aliases": [
				"Leafminer",
				"Raspite"
			],
			"source_name": "MITRE:Leafminer",
			"tools": [
				"LaZagne",
				"Mimikatz",
				"MailSniper",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "552eeef7-4a19-44de-9147-db8893c115ef",
			"created_at": "2023-01-06T13:46:38.598788Z",
			"updated_at": "2026-04-10T02:00:03.034846Z",
			"deleted_at": null,
			"main_name": "RASPITE",
			"aliases": [
				"LeafMiner",
				"Raspite"
			],
			"source_name": "MISPGALAXY:RASPITE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "32c8c1a1-ae5c-4a05-a95d-2e970a46cd1e",
			"created_at": "2022-10-25T16:07:23.777999Z",
			"updated_at": "2026-04-10T02:00:04.747552Z",
			"deleted_at": null,
			"main_name": "Leafminer",
			"aliases": [
				"Flash Kitten",
				"G0077",
				"Leafminer",
				"Raspite"
			],
			"source_name": "ETDA:Leafminer",
			"tools": [
				"Imecab",
				"LaZagne",
				"Mimikatz",
				"PhpSpy",
				"Sorgu"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434544,
	"ts_updated_at": 1775792065,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f9cebac8a80c56397589f33889341609ac54e89.pdf",
		"text": "https://archive.orkl.eu/9f9cebac8a80c56397589f33889341609ac54e89.txt",
		"img": "https://archive.orkl.eu/9f9cebac8a80c56397589f33889341609ac54e89.jpg"
	}
}