{ "id": "8004d2a1-b992-406d-8385-7338082cd891", "created_at": "2026-04-06T00:18:23.980448Z", "updated_at": "2026-04-10T03:30:41.797109Z", "deleted_at": null, "sha1_hash": "b31140a722e9577dc5769ff7bf6cbd110bc9d4fd", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50320, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:40:46 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool xPack\r\n Tool: xPack\r\nNames\r\nxPack\r\nNERAPACK\r\nCategory Malware\r\nType Backdoor, Remote command, Exfiltration\r\nDescription\r\n(Symantec) The backdoor allowed the attackers to run WMI commands remotely, while there\r\nis also evidence that they leveraged EternalBlue exploits in the backdoor. The attackers\r\nappeared to have the ability to interact with SMB shares, and it's possible that they used\r\nmounted shares over SMB to transfer files from attacker-controlled infrastructure. There is\r\nalso evidence that the attackers were able to browse the web through the backdoor, likely using\r\nit as a proxy to mask their IP address.\r\nInformation\r\n\u003chttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.xpack\u003e\r\nLast change to this tool card: 28 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool xPack\r\nChanged Name Country Observed\r\nAPT groups\r\n  Antlion 2011  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=499c6ccf-8841-4343-92fe-fa4b37a6fc49\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=499c6ccf-8841-4343-92fe-fa4b37a6fc49\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=499c6ccf-8841-4343-92fe-fa4b37a6fc49\r\nPage 2 of 2\n\nAPT groups Antlion 2011 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=499c6ccf-8841-4343-92fe-fa4b37a6fc49" ], "report_names": [ "listgroups.cgi?u=499c6ccf-8841-4343-92fe-fa4b37a6fc49" ], "threat_actors": [ { "id": "6360ea44-b90d-435c-b3cd-9724751b8294", "created_at": "2023-01-06T13:46:39.304451Z", "updated_at": "2026-04-10T02:00:03.281303Z", "deleted_at": null, "main_name": "Antlion", "aliases": [], "source_name": "MISPGALAXY:Antlion", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6ad5ab33-9a45-43d3-b0e4-70b7f9d836f8", "created_at": "2022-10-25T16:07:23.309518Z", "updated_at": "2026-04-10T02:00:04.535597Z", "deleted_at": null, "main_name": "Antlion", "aliases": [], "source_name": "ETDA:Antlion", "tools": [ "CheckID", "EHAGBPSL", "EHAGBPSL Loader", "ENCODE MMC", "JpgRun", "JpgRun Loader", "LOLBAS", "LOLBins", "Living off the Land", "NERAPACK", "NetSessionEnum", "ProcDump", "PsExec", "WinRAR", "xPack" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434703, "ts_updated_at": 1775791841, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b31140a722e9577dc5769ff7bf6cbd110bc9d4fd.pdf", "text": "https://archive.orkl.eu/b31140a722e9577dc5769ff7bf6cbd110bc9d4fd.txt", "img": "https://archive.orkl.eu/b31140a722e9577dc5769ff7bf6cbd110bc9d4fd.jpg" } }