{
	"id": "33c10276-f707-43f7-b1fa-265626556cf7",
	"created_at": "2026-04-06T00:13:24.190546Z",
	"updated_at": "2026-04-10T03:33:16.347602Z",
	"deleted_at": null,
	"sha1_hash": "a5af43bea91f5526a5cccb4258bee65abfdeea40",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50447,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:14:27 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Ninja\n Tool: Ninja\nNames Ninja\nCategory Malware\nType Reconnaissance, Backdoor, Loader, Tunneling\nDescription\n(Kaspersky) Based on the code logic, it appears that Ninja is a collaborative tool\nallowing multiple operators to work on the same machine simultaneously. It provides a\nlarge set of commands, which allow the attackers to control remote systems, avoid\ndetection and penetrate deep inside a targeted network. Some capabilities are similar to\nthose provided in other notorious post-exploitation toolkits. For example, Ninja has a\nfeature like Cobalt Strike pivot listeners, which can limit the number of direct\nconnections from the targeted network to the remote C2 and control systems without\ninternet access. It also provides the ability to control the HTTP indicators and\ncamouflage malicious traffic in HTTP requests that appear legitimate by modifying\nHTTP header and URL paths. This feature provides functionality that reminds us of the\nCobalt Strike Malleable C2 profile.\nInformation MITRE ATT\u0026CK Last change to this tool card: 19 June 2024\nDownload this tool card in JSON format\nAll groups using tool Ninja\nChanged Name Country Observed\nAPT groups\n ToddyCat 2020-2024\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e92858ba-2397-47a2-8861-a72cecfbb672\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e92858ba-2397-47a2-8861-a72cecfbb672\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e92858ba-2397-47a2-8861-a72cecfbb672\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e92858ba-2397-47a2-8861-a72cecfbb672"
	],
	"report_names": [
		"listgroups.cgi?u=e92858ba-2397-47a2-8861-a72cecfbb672"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d67df52c-a901-4d55-b287-321818500789",
			"created_at": "2024-04-24T02:00:49.591518Z",
			"updated_at": "2026-04-10T02:00:05.314272Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"ToddyCat"
			],
			"source_name": "MITRE:ToddyCat",
			"tools": [
				"Cobalt Strike",
				"LoFiSe",
				"China Chopper",
				"netstat",
				"Pcexter",
				"Samurai"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5",
			"created_at": "2022-10-25T16:07:24.329539Z",
			"updated_at": "2026-04-10T02:00:04.939013Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"Operation Stayin’ Alive",
				"Storm-0247"
			],
			"source_name": "ETDA:ToddyCat",
			"tools": [
				"CHINACHOPPER",
				"China Chopper",
				"Cuthead",
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"Krong",
				"LoFiSe",
				"Ngrok",
				"PcExter",
				"PsExec",
				"SIMPOBOXSPY",
				"Samurai",
				"SinoChopper",
				"SoftEther VPN",
				"TomBerBil",
				"WAExp"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "60d96824-1767-4b97-a6c7-7e9527458007",
			"created_at": "2023-01-06T13:46:39.378701Z",
			"updated_at": "2026-04-10T02:00:03.307846Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"Websiic"
			],
			"source_name": "MISPGALAXY:ToddyCat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434404,
	"ts_updated_at": 1775791996,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5af43bea91f5526a5cccb4258bee65abfdeea40.pdf",
		"text": "https://archive.orkl.eu/a5af43bea91f5526a5cccb4258bee65abfdeea40.txt",
		"img": "https://archive.orkl.eu/a5af43bea91f5526a5cccb4258bee65abfdeea40.jpg"
	}
}