{ "id": "06b1131b-bcc6-43c0-8f91-09a3025ad74f", "created_at": "2026-04-06T00:07:40.556306Z", "updated_at": "2026-04-10T13:11:27.383599Z", "deleted_at": null, "sha1_hash": "a487aa1df6926f3a7c947eef089c9d9195ffb0df", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50075, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:11:21 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BUBBLEWRAP\n Tool: BUBBLEWRAP\nNames\nBUBBLEWRAP\nBackdoor.APT.FakeWinHTTPHelper\nCategory Malware\nType Reconnaissance, Backdoor\nDescription\n(FireEye) BUBBLEWRAP is a full-featured backdoor that is set to run when the system\nboots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor\ncollects system information, including the operating system version and hostname, and\nincludes functionality to check, upload, and register plugins that can further enhance its\ncapabilities.\nInformation MITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool BUBBLEWRAP\nChanged Name Country Observed\nAPT groups\n Temper Panda, admin@338 2014\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=afe305f3-ba57-4b16-a33a-e679e5853383\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=afe305f3-ba57-4b16-a33a-e679e5853383\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=afe305f3-ba57-4b16-a33a-e679e5853383" ], "report_names": [ "listgroups.cgi?u=afe305f3-ba57-4b16-a33a-e679e5853383" ], "threat_actors": [ { "id": "9d6f666e-3a9d-4a09-bcac-8aee96572827", "created_at": "2022-10-25T15:50:23.2832Z", "updated_at": "2026-04-10T02:00:05.268714Z", "deleted_at": null, "main_name": "admin@338", "aliases": [ "admin@338" ], "source_name": "MITRE:admin@338", "tools": [ "BUBBLEWRAP", "LOWBALL", "Systeminfo", "PoisonIvy", "netstat", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "1f29d13d-268d-4c26-ac4a-1ce8cebdbd3a", "created_at": "2023-01-06T13:46:38.351187Z", "updated_at": "2026-04-10T02:00:02.938577Z", "deleted_at": null, "main_name": "TEMPER PANDA", "aliases": [ "Admin338", "Team338", "admin@338", "G0018" ], "source_name": "MISPGALAXY:TEMPER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c23ca3e9-6b58-4f24-b4eb-ce3b24815ac4", "created_at": "2022-10-25T16:07:24.313367Z", "updated_at": "2026-04-10T02:00:04.932247Z", "deleted_at": null, "main_name": "Temper Panda", "aliases": [ "G0018", "Team338", "Temper Panda", "admin@338" ], "source_name": "ETDA:Temper Panda", "tools": [ "BUBBLEWRAP", "Backdoor.APT.FakeWinHTTPHelper", "Bozok", "Bozok RAT", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "LOLBAS", "LOLBins", "LOWBALL", "Living off the Land", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434060, "ts_updated_at": 1775826687, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a487aa1df6926f3a7c947eef089c9d9195ffb0df.pdf", "text": "https://archive.orkl.eu/a487aa1df6926f3a7c947eef089c9d9195ffb0df.txt", "img": "https://archive.orkl.eu/a487aa1df6926f3a7c947eef089c9d9195ffb0df.jpg" } }