{ "id": "3cb8ae8d-ca36-4404-8109-662d7da33e22", "created_at": "2026-04-06T00:09:12.949111Z", "updated_at": "2026-04-10T13:12:15.213839Z", "deleted_at": null, "sha1_hash": "b812a81071269c3b0834323d800223d70e6a9959", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51049, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:52:40 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WARP\r\n Tool: WARP\r\nNames WARP\r\nCategory Malware\r\nType Reconnaissance, Backdoor\r\nDescription\r\nThe WARP malware family is an HTTP based backdoor written in C++, and the majority of its\r\ncode base is borrowed from source code available in the public domain. Network\r\ncommunications are implemented using the same WWW client library (w3c.cpp) available\r\nfrom www.dankrusi.com/file_69653F3336383837.html. The malware has system survey\r\nfunctionality (collects hostname, current user, system uptime, CPU speed, etc.) taken directly\r\nfrom the BO2K backdoor available from www.bo2k.com. It also contains the hard disk\r\nidentification code found at www.winsim.com/diskid32/diskid32.cpp. When the WARP\r\nexecuting remote commands, the malware creates a copy of the ?\r\n%SYSTEMROOT%\\system32\\cmd.exe? file as '%USERPROFILE%\\Temp\\~ISUN32.EXE'.\r\nThe version signature information of the duplicate executable is zeroed out. Some WARP\r\nvariants maintain persistence through the use of DLL search order hijacking.\r\nInformation \u003chttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool WARP\r\nChanged Name Country Observed\r\nAPT groups\r\n  Comment Crew, APT 1 2006-May 2018\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7d3f89d6-21b4-46aa-bf98-945ceda5a847\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7d3f89d6-21b4-46aa-bf98-945ceda5a847\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7d3f89d6-21b4-46aa-bf98-945ceda5a847\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7d3f89d6-21b4-46aa-bf98-945ceda5a847" ], "report_names": [ "listgroups.cgi?u=7d3f89d6-21b4-46aa-bf98-945ceda5a847" ], "threat_actors": [ { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434152, "ts_updated_at": 1775826735, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b812a81071269c3b0834323d800223d70e6a9959.pdf", "text": "https://archive.orkl.eu/b812a81071269c3b0834323d800223d70e6a9959.txt", "img": "https://archive.orkl.eu/b812a81071269c3b0834323d800223d70e6a9959.jpg" } }