{
	"id": "656da28e-4085-4f6e-b8d9-e5dba923346e",
	"created_at": "2026-04-06T01:30:51.906302Z",
	"updated_at": "2026-04-10T13:11:25.897759Z",
	"deleted_at": null,
	"sha1_hash": "c35f6206710721bcc901166858cb16392ae0d169",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48742,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 00:19:26 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Gelsemine\n Tool: Gelsemine\nNames Gelsemine\nCategory Malware\nType Dropper\nDescription\n(ESET) Gelsemium’s first stage is a large dropper written in C++ using the Microsoft\nFoundation Class library (MFC). This stage contains multiple further stages’ binaries.\nDropper sizes range from about 400 kB to 700 kB, which is unusual and would be even\nlarger if the eight embedded executables were not compressed. The developers use the\nzlib library, statically linked, to greatly reduce the overall size.\nInformation MITRE ATT\u0026CK Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Gelsemine\nChanged Name Country Observed\nAPT groups\n Gelsemium 2014-2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=779f6a01-4381-472a-9ac3-4e3ec8270d75\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=779f6a01-4381-472a-9ac3-4e3ec8270d75\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=779f6a01-4381-472a-9ac3-4e3ec8270d75"
	],
	"report_names": [
		"listgroups.cgi?u=779f6a01-4381-472a-9ac3-4e3ec8270d75"
	],
	"threat_actors": [
		{
			"id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424",
			"created_at": "2023-01-06T13:46:39.290101Z",
			"updated_at": "2026-04-10T02:00:03.275981Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"狼毒草"
			],
			"source_name": "MISPGALAXY:Gelsemium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77874718-7ad2-4d15-9831-10935ab9bcbe",
			"created_at": "2022-10-25T15:50:23.619911Z",
			"updated_at": "2026-04-10T02:00:05.349462Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Gelsemium"
			],
			"source_name": "MITRE:Gelsemium",
			"tools": [
				"Gelsemium",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b5550c4e-943a-45ea-bf67-875b989ee4c4",
			"created_at": "2022-10-25T16:07:23.675771Z",
			"updated_at": "2026-04-10T02:00:04.707782Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Operation NightScout",
				"Operation TooHash"
			],
			"source_name": "ETDA:Gelsemium",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"Chrommme",
				"Cobalt Strike",
				"CobaltStrike",
				"FireWood",
				"Gelsemine",
				"Gelsenicine",
				"Gelsevirine",
				"JuicyPotato",
				"OwlProxy",
				"Owowa",
				"SAMRID",
				"SessionManager",
				"SinoChopper",
				"SpoolFool",
				"SweetPotato",
				"WolfsBane",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439051,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c35f6206710721bcc901166858cb16392ae0d169.pdf",
		"text": "https://archive.orkl.eu/c35f6206710721bcc901166858cb16392ae0d169.txt",
		"img": "https://archive.orkl.eu/c35f6206710721bcc901166858cb16392ae0d169.jpg"
	}
}