{
	"id": "af02c224-b13a-4880-b321-dcb1854ae5d2",
	"created_at": "2026-04-06T00:18:33.427332Z",
	"updated_at": "2026-04-10T03:37:19.272069Z",
	"deleted_at": null,
	"sha1_hash": "bfe157db1335932d15028acf1158e59347f0079d",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48735,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:39:22 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ChromePass\n Tool: ChromePass\nNames ChromePass\nCategory Malware\nType Credential stealer\nDescription\n(Kaspersky) Proprietary tool that steals saved passwords from Chromium-based browser\ndatabases. The output of the parsed database is an HTML document containing a table\nwith URLs and their corresponding stolen username and password information.\nInformation AlienVault OTX Last change to this tool card: 13 June 2020\nDownload this tool card in JSON format\nAll groups using tool ChromePass\nChanged Name Country Observed\nAPT groups\n Goblin Panda, Cycldek, Conimes 2013-Jun 2020\n XDSpy [Unknown] 2011-Jul 2024\n2 groups listed (2 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=127cb9e7-d520-43d4-b663-57de50a8e2ae\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=127cb9e7-d520-43d4-b663-57de50a8e2ae\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=127cb9e7-d520-43d4-b663-57de50a8e2ae"
	],
	"report_names": [
		"listgroups.cgi?u=127cb9e7-d520-43d4-b663-57de50a8e2ae"
	],
	"threat_actors": [
		{
			"id": "69cba9ab-de35-4103-a699-7d243bcfd196",
			"created_at": "2023-01-06T13:46:39.159472Z",
			"updated_at": "2026-04-10T02:00:03.233731Z",
			"deleted_at": null,
			"main_name": "XDSpy",
			"aliases": [],
			"source_name": "MISPGALAXY:XDSpy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d69b3831-de95-42c9-b4b6-26232627206f",
			"created_at": "2022-10-25T16:07:24.429466Z",
			"updated_at": "2026-04-10T02:00:04.985102Z",
			"deleted_at": null,
			"main_name": "XDSpy",
			"aliases": [],
			"source_name": "ETDA:XDSpy",
			"tools": [
				"ChromePass",
				"IE PassView",
				"MailPassView",
				"Network Password Recovery",
				"OperaPassView",
				"PasswordFox",
				"Protected Storage PassView",
				"XDDown",
				"XDList",
				"XDLoc",
				"XDMonitor",
				"XDPass",
				"XDRecon",
				"XDUpload"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea",
			"created_at": "2023-01-06T13:46:39.444946Z",
			"updated_at": "2026-04-10T02:00:03.331753Z",
			"deleted_at": null,
			"main_name": "GOBLIN PANDA",
			"aliases": [
				"Conimes",
				"Cycldek"
			],
			"source_name": "MISPGALAXY:GOBLIN PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39",
			"created_at": "2022-10-25T16:07:23.690871Z",
			"updated_at": "2026-04-10T02:00:04.709966Z",
			"deleted_at": null,
			"main_name": "Goblin Panda",
			"aliases": [
				"1937CN",
				"Conimes",
				"Cycldek",
				"Goblin Panda"
			],
			"source_name": "ETDA:Goblin Panda",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agent.dhwf",
				"BackDoor-FBZT!52D84425CDF2",
				"BlueCore",
				"BrowsingHistoryView",
				"ChromePass",
				"CoreLoader",
				"Custom HDoor",
				"Destroy RAT",
				"DestroyRAT",
				"DropPhone",
				"FoundCore",
				"HDoor",
				"HTTPTunnel",
				"JsonCookies",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"NBTscan",
				"NewCore RAT",
				"PlugX",
				"ProcDump",
				"PsExec",
				"QCRat",
				"RainyDay",
				"RedCore",
				"RedDelta",
				"RoyalRoad",
				"Sisfader",
				"Sisfader RAT",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trojan.Win32.Staser.ytq",
				"USBCulprit",
				"Win32/Zegost.BW",
				"Xamtrav",
				"ZeGhost",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434713,
	"ts_updated_at": 1775792239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bfe157db1335932d15028acf1158e59347f0079d.pdf",
		"text": "https://archive.orkl.eu/bfe157db1335932d15028acf1158e59347f0079d.txt",
		"img": "https://archive.orkl.eu/bfe157db1335932d15028acf1158e59347f0079d.jpg"
	}
}