{
	"id": "021d58b7-c2b7-42a3-bc5f-7a89897bc668",
	"created_at": "2026-04-06T00:19:09.307328Z",
	"updated_at": "2026-04-10T13:12:57.039566Z",
	"deleted_at": null,
	"sha1_hash": "aa105a3817644f3b6ad499f177618ceb98c6a3de",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48955,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:40:50 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BRICKSTORM\r\n Tool: BRICKSTORM\r\nNames BRICKSTORM\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(NVISO) BRICKSTORM provides attackers with file manager and network tunneling\r\ncapabilities. As a notable difference to Mandiant’s BRICKSTORM report, the Windows\r\nsamples discussed here are not equipped with command execution capabilities. Instead,\r\nadversaries have been observed using network tunneling capabilities in combination with valid\r\ncredentials to abuse well-known protocols such as RDP or SMB, thus achieving similar\r\ncommand execution\r\nInformation \u003chttps://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf\u003e\r\nLast change to this tool card: 21 April 2025\r\nDownload this tool card in JSON format\r\nAll groups using tool BRICKSTORM\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC5221, UTA0178 2022-Mar 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2ff0480c-1ac8-4d42-83a7-3576948e3cbd\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2ff0480c-1ac8-4d42-83a7-3576948e3cbd\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2ff0480c-1ac8-4d42-83a7-3576948e3cbd"
	],
	"report_names": [
		"listgroups.cgi?u=2ff0480c-1ac8-4d42-83a7-3576948e3cbd"
	],
	"threat_actors": [
		{
			"id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8",
			"created_at": "2024-01-18T02:02:34.643994Z",
			"updated_at": "2026-04-10T02:00:04.959645Z",
			"deleted_at": null,
			"main_name": "UNC5221",
			"aliases": [
				"UNC5221",
				"UTA0178"
			],
			"source_name": "ETDA:UNC5221",
			"tools": [
				"BRICKSTORM",
				"GIFTEDVISITOR",
				"GLASSTOKEN",
				"LIGHTWIRE",
				"PySoxy",
				"THINSPOOL",
				"WARPWIRE",
				"WIREFIRE",
				"ZIPLINE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9",
			"created_at": "2024-01-12T02:00:04.33082Z",
			"updated_at": "2026-04-10T02:00:03.517264Z",
			"deleted_at": null,
			"main_name": "UTA0178",
			"aliases": [
				"UNC5221",
				"Red Dev 61"
			],
			"source_name": "MISPGALAXY:UTA0178",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434749,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aa105a3817644f3b6ad499f177618ceb98c6a3de.pdf",
		"text": "https://archive.orkl.eu/aa105a3817644f3b6ad499f177618ceb98c6a3de.txt",
		"img": "https://archive.orkl.eu/aa105a3817644f3b6ad499f177618ceb98c6a3de.jpg"
	}
}