{
	"id": "c1f5d4da-f27b-49f7-8628-26d65d0b6b8f",
	"created_at": "2026-04-06T00:07:02.113255Z",
	"updated_at": "2026-04-10T03:30:01.849186Z",
	"deleted_at": null,
	"sha1_hash": "ab3bdaf7bcc12df53f26bf978f7ce818156e0b9f",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53407,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:12:48 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Killua\n Tool: Killua\nNames Killua\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) The otc.dll file is a tool named Killua that is a simple backdoor that allows an actor\nto issue commands from a C2 server to run on the infected system by communicating back and\nforth using DNS tunneling. Based on string comparisons, we believe with high confidence that\nthe same developer created both the Killua and Hisoka tools.\nInformation\nLast change to this tool card: 29 April 2020\nDownload this tool card in JSON format\nAll groups using tool Killua\nChanged Name Country Observed\nAPT groups\n xHunt 2018-Aug 2019\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6d31fd01-df9b-4aaf-b8ae-0212f41c3543\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6d31fd01-df9b-4aaf-b8ae-0212f41c3543\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6d31fd01-df9b-4aaf-b8ae-0212f41c3543"
	],
	"report_names": [
		"listgroups.cgi?u=6d31fd01-df9b-4aaf-b8ae-0212f41c3543"
	],
	"threat_actors": [
		{
			"id": "20bc5b83-9ea0-4e60-a23e-19bf203dc9fb",
			"created_at": "2022-10-25T16:07:24.432777Z",
			"updated_at": "2026-04-10T02:00:04.986077Z",
			"deleted_at": null,
			"main_name": "xHunt",
			"aliases": [
				"Cobalt Katana",
				"Hive0081",
				"Hunter Serpens",
				"SectorD01"
			],
			"source_name": "ETDA:xHunt",
			"tools": [
				"CASHY200",
				"COLDTRAIN",
				"Gon",
				"Hisoka",
				"Killua",
				"Netero",
				"SHELLSTING",
				"Sakabota",
				"Snugy",
				"TriFive"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434022,
	"ts_updated_at": 1775791801,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ab3bdaf7bcc12df53f26bf978f7ce818156e0b9f.pdf",
		"text": "https://archive.orkl.eu/ab3bdaf7bcc12df53f26bf978f7ce818156e0b9f.txt",
		"img": "https://archive.orkl.eu/ab3bdaf7bcc12df53f26bf978f7ce818156e0b9f.jpg"
	}
}