{ "id": "48ad0e3c-f963-452b-aadc-36a9c49f8cec", "created_at": "2026-04-06T00:19:50.779581Z", "updated_at": "2026-04-10T03:37:40.871657Z", "deleted_at": null, "sha1_hash": "b6c222ebf5c9a32b934d981df7af8cd0f219da6b", "title": "Network Password Recovery - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50019, "plain_text": "Network Password Recovery - Threat Group Cards: A Threat\r\nActor Encyclopedia\r\nArchived: 2026-04-05 19:42:17 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Network Password Recovery\r\n Tool: Network Password Recovery\r\nNames Network Password Recovery\r\nCategory Tools\r\nType Credential stealer\r\nDescription\r\nWhen you connect to a network share on your LAN or to your .NET Passport account,\r\nWindows allows you to save your password in order to use it in each time that you connect the\r\nremote server. This utility recovers all network passwords stored on your system for the\r\ncurrent logged-on user. It can also recover the passwords stored in Credentials file of external\r\ndrive, as long as you know the last log-on password.\r\nInformation \u003chttps://www.nirsoft.net/utils/network_password_recovery.html\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Network Password Recovery\r\nChanged Name Country Observed\r\nAPT groups\r\n  Kimsuky, Velvet Chollima 2012-Aug 2025\r\n  Traveling Spider [Unknown] 2019-Mar 2021  \r\n  XDSpy [Unknown] 2011-Jul 2024  \r\n3 groups listed (3 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84415af1-cc63-4639-aad5-4935751e3e25\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84415af1-cc63-4639-aad5-4935751e3e25\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84415af1-cc63-4639-aad5-4935751e3e25\r\nPage 2 of 2\n\n Traveling XDSpy Spider [Unknown] [Unknown] 2019-Mar 2011-Jul 2021 2024\n3 groups listed (3 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84415af1-cc63-4639-aad5-4935751e3e25" ], "report_names": [ "listgroups.cgi?u=84415af1-cc63-4639-aad5-4935751e3e25" ], "threat_actors": [ { "id": "8b7faa58-947b-4530-ab1f-250a0370aabf", "created_at": "2022-10-25T16:07:24.34248Z", "updated_at": "2026-04-10T02:00:04.945921Z", "deleted_at": null, "main_name": "Traveling Spider", "aliases": [ "Gold Mansard" ], "source_name": "ETDA:Traveling Spider", "tools": [ "7-Zip", "AdFind", "LaZagne", "MEGAsync", "Mimikatz", "Nefilim", "Nemty", "Nephilim", "Network Password Recovery", "PsExec", "smbtool" ], "source_id": "ETDA", "reports": null }, { "id": "69cba9ab-de35-4103-a699-7d243bcfd196", "created_at": "2023-01-06T13:46:39.159472Z", "updated_at": "2026-04-10T02:00:03.233731Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "MISPGALAXY:XDSpy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1c76f1b6-a05b-4dba-82ea-07011b47c6cd", "created_at": "2023-01-06T13:46:39.201507Z", "updated_at": "2026-04-10T02:00:03.244851Z", "deleted_at": null, "main_name": "TRAVELING SPIDER", "aliases": [], "source_name": "MISPGALAXY:TRAVELING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "d69b3831-de95-42c9-b4b6-26232627206f", "created_at": "2022-10-25T16:07:24.429466Z", "updated_at": "2026-04-10T02:00:04.985102Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "ETDA:XDSpy", "tools": [ "ChromePass", "IE PassView", "MailPassView", "Network Password Recovery", "OperaPassView", "PasswordFox", "Protected Storage PassView", "XDDown", "XDList", "XDLoc", "XDMonitor", "XDPass", "XDRecon", "XDUpload" ], "source_id": "ETDA", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434790, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b6c222ebf5c9a32b934d981df7af8cd0f219da6b.pdf", "text": "https://archive.orkl.eu/b6c222ebf5c9a32b934d981df7af8cd0f219da6b.txt", "img": "https://archive.orkl.eu/b6c222ebf5c9a32b934d981df7af8cd0f219da6b.jpg" } }