{
	"id": "b60c00cf-b519-4b88-af78-d0c739ccf34f",
	"created_at": "2026-04-06T00:15:22.140115Z",
	"updated_at": "2026-04-10T03:34:57.3352Z",
	"deleted_at": null,
	"sha1_hash": "be971067d4c75976359398da576ecd454c76aea6",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50151,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:54:15 UTC\n Tool: Ebury\nNames Ebury\nCategory Malware\nType Backdoor, Credential stealer, Botnet\nDescription (ESET) An OpenSSH backdoor used to keep control of the servers and steal credentials.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 18 June 2024\nDownload this tool card in JSON format\nAll groups using tool Ebury\nChanged Name Country Observed\nOther groups\n Operation Windigo 2011-Mar 2017\n1 group listed (0 APT, 1 other, 0 unknown)\n↑\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6e2c66f6-347d-427f-929e-425e298bb480\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6e2c66f6-347d-427f-929e-425e298bb480\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6e2c66f6-347d-427f-929e-425e298bb480\r\nPage 2 of 2\n\nOther groups Operation Windigo 2011-Mar 2017 \n1 group listed (0 APT, 1 other, 0 unknown) \n↑   \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6e2c66f6-347d-427f-929e-425e298bb480"
	],
	"report_names": [
		"listgroups.cgi?u=6e2c66f6-347d-427f-929e-425e298bb480"
	],
	"threat_actors": [
		{
			"id": "1934b371-2525-4615-a90a-772182bc4184",
			"created_at": "2022-10-25T15:50:23.396576Z",
			"updated_at": "2026-04-10T02:00:05.341979Z",
			"deleted_at": null,
			"main_name": "Windigo",
			"aliases": [
				"Windigo"
			],
			"source_name": "MITRE:Windigo",
			"tools": [
				"Ebury"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d",
			"created_at": "2022-10-25T16:07:24.526179Z",
			"updated_at": "2026-04-10T02:00:05.023222Z",
			"deleted_at": null,
			"main_name": "Operation Windigo",
			"aliases": [
				"G0124"
			],
			"source_name": "ETDA:Operation Windigo",
			"tools": [
				"CDorked",
				"CDorked.A",
				"Calfbot",
				"Ebury"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434522,
	"ts_updated_at": 1775792097,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be971067d4c75976359398da576ecd454c76aea6.pdf",
		"text": "https://archive.orkl.eu/be971067d4c75976359398da576ecd454c76aea6.txt",
		"img": "https://archive.orkl.eu/be971067d4c75976359398da576ecd454c76aea6.jpg"
	}
}