{ "id": "3a16bf8c-508f-444e-88af-040540dde90e", "created_at": "2026-04-06T15:53:52.101888Z", "updated_at": "2026-04-10T13:11:19.413327Z", "deleted_at": null, "sha1_hash": "a2522ccd45877c39f09735e595935cdca04fc535", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49076, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 15:47:58 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BlackMould\n Tool: BlackMould\nNames BlackMould\nCategory Malware\nType Backdoor\nDescription\n(Microsoft) In addition to standard China Chopper, GALLIUM has been observed using\na native web shell for servers running Microsoft IIS that is based on the China Chopper\nweb shell; Microsoft has called this “BlackMould.”\nInformation\nMITRE ATT\u0026CK Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool BlackMould\nChanged Name Country Observed\nAPT groups\n Gallium 2018-Jun 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=edfd17d0-0e3b-416f-b030-f8f62c833336\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=edfd17d0-0e3b-416f-b030-f8f62c833336\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=edfd17d0-0e3b-416f-b030-f8f62c833336" ], "report_names": [ "listgroups.cgi?u=edfd17d0-0e3b-416f-b030-f8f62c833336" ], "threat_actors": [ { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775490832, "ts_updated_at": 1775826679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2522ccd45877c39f09735e595935cdca04fc535.pdf", "text": "https://archive.orkl.eu/a2522ccd45877c39f09735e595935cdca04fc535.txt", "img": "https://archive.orkl.eu/a2522ccd45877c39f09735e595935cdca04fc535.jpg" } }