{ "id": "56ab508f-7530-4b20-a662-092e72258191", "created_at": "2026-04-06T00:09:22.662705Z", "updated_at": "2026-04-10T03:24:34.011607Z", "deleted_at": null, "sha1_hash": "ae37d4a73d8b95010320d8ad58bea78379a45e18", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51013, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:39:01 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ZIPLINE\r\n Tool: ZIPLINE\r\nNames ZIPLINE\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Mandiant) ZIPLINE is a passive backdoor that hijacks an exported function, accept(),\r\nfrom the file libsecure.so. When ZIPLINE invokes the hijacked accept() function, it first\r\nresolves the benign accept() from libc, to intercept network traffic. Once an incoming\r\nconnection is registered, it is first processed by the benign libc_accept, and ZIPLINE\r\nthen checks if the process name is “web”. The malware retrieves up to 21 bytes from the\r\nconnected host, verifying if the received buffer corresponds to the string “SSH-2.0-\r\nOpenSSH_0.3xx.” If so, the malicious functionality of ZIPLINE is triggered. ZIPLINE\r\nwill then receive an encrypted header which specifies the command to be executed.\r\nFurther details about this hijacking technique for the accept() function can be found in\r\nthis SecureIdeas post.\r\nInformation \u003chttps://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day\u003e\r\nMITRE ATT\u0026CK \u003chttps://attack.mitre.org/software/S1114\u003e\r\nLast change to this tool card: 19 June 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool ZIPLINE\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC5221, UTA0178 2022-Mar 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0d86ae8d-ba7a-4d4e-b182-08cd539bf78a\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0d86ae8d-ba7a-4d4e-b182-08cd539bf78a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0d86ae8d-ba7a-4d4e-b182-08cd539bf78a\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0d86ae8d-ba7a-4d4e-b182-08cd539bf78a" ], "report_names": [ "listgroups.cgi?u=0d86ae8d-ba7a-4d4e-b182-08cd539bf78a" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434162, "ts_updated_at": 1775791474, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae37d4a73d8b95010320d8ad58bea78379a45e18.pdf", "text": "https://archive.orkl.eu/ae37d4a73d8b95010320d8ad58bea78379a45e18.txt", "img": "https://archive.orkl.eu/ae37d4a73d8b95010320d8ad58bea78379a45e18.jpg" } }