{
	"id": "6efa64f2-dea6-4065-adcd-2eb79888b08d",
	"created_at": "2026-04-06T00:06:11.053445Z",
	"updated_at": "2026-04-10T03:31:32.805242Z",
	"deleted_at": null,
	"sha1_hash": "ac8eb0b15b3a80e12fd73937be0b07fdcd2c769b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50197,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:05:59 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SharPyShell\r\n Tool: SharPyShell\r\nNames SharPyShell\r\nCategory Malware\r\nType Backdoor, Downloader\r\nDescription\r\n(ClearSky) An obfuscated ASP.NET WebShell that executes commands received by an\r\nencrypted channel compiling them in memory at runtime and deploys a privilege escalation\r\ntool.\r\nThis WebShell enables the attackers to download a ‘JuicyPotato’ file to the compromised\r\nmachine so as to obtain extended privileges.\r\nInformation \u003chttps://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf\u003e\r\nLast change to this tool card: 19 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool SharPyShell\r\nChanged Name Country Observed\r\nAPT groups\r\n  Volatile Cedar 2012-Early 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ebf035b2-ad91-4908-99ee-4a29b7c40bd4\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ebf035b2-ad91-4908-99ee-4a29b7c40bd4\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ebf035b2-ad91-4908-99ee-4a29b7c40bd4"
	],
	"report_names": [
		"listgroups.cgi?u=ebf035b2-ad91-4908-99ee-4a29b7c40bd4"
	],
	"threat_actors": [
		{
			"id": "bc5c22a8-29eb-4a87-acd6-4817060e80f2",
			"created_at": "2022-10-25T15:50:23.658256Z",
			"updated_at": "2026-04-10T02:00:05.38013Z",
			"deleted_at": null,
			"main_name": "Volatile Cedar",
			"aliases": [
				"Volatile Cedar",
				"Lebanese Cedar"
			],
			"source_name": "MITRE:Volatile Cedar",
			"tools": [
				"Caterpillar WebShell"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "17b152bc-6f7e-463c-8b4c-a4844caea6df",
			"created_at": "2023-01-06T13:46:38.498795Z",
			"updated_at": "2026-04-10T02:00:03.000373Z",
			"deleted_at": null,
			"main_name": "Volatile Cedar",
			"aliases": [
				"Lebanese Cedar",
				"DeftTorero"
			],
			"source_name": "MISPGALAXY:Volatile Cedar",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e7c75c6-097f-4d80-8c98-73485fe2a729",
			"created_at": "2022-10-25T16:07:24.386715Z",
			"updated_at": "2026-04-10T02:00:04.970172Z",
			"deleted_at": null,
			"main_name": "Volatile Cedar",
			"aliases": [
				"Amethyst Rain",
				"Dancing Salome",
				"DeftTorero",
				"G0123",
				"VolcanicTimber"
			],
			"source_name": "ETDA:Volatile Cedar",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Adminer",
				"DirBuster",
				"GoBuster",
				"JuicyPotato",
				"RottenPotato",
				"SharPyShell"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433971,
	"ts_updated_at": 1775791892,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac8eb0b15b3a80e12fd73937be0b07fdcd2c769b.pdf",
		"text": "https://archive.orkl.eu/ac8eb0b15b3a80e12fd73937be0b07fdcd2c769b.txt",
		"img": "https://archive.orkl.eu/ac8eb0b15b3a80e12fd73937be0b07fdcd2c769b.jpg"
	}
}