{ "id": "d77a40ea-788b-4ede-8316-31dd47848ab5", "created_at": "2026-04-06T01:31:02.339848Z", "updated_at": "2026-04-10T03:31:57.101277Z", "deleted_at": null, "sha1_hash": "c4f67754e2eebdb538d25e7f661c89f6151845a5", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46784, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:08:04 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool agfSpy\r\n Tool: agfSpy\r\nNames agfSpy\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\nThe agfSpy backdoor retrieves configuration and commands from its C\u0026C server. These\r\ncommands allow the backdoor to execute shell commands and send the execution results back\r\nto the server. It also enumerates directories and can list, upload, download, and execute files,\r\namong other functions. The capabilities of agfSpy are very similar to dneSpy, except each\r\nbackdoor uses a different C\u0026C server and various formats in message exchanges.\r\nInformation \u003chttps://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy\u003e\r\nLast change to this tool card: 29 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool agfSpy\r\nChanged Name Country Observed\r\nAPT groups\r\n  Operation Earth Kitsune 2019-Late 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=20206555-8dd2-4fbe-b878-7edba075b872\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=20206555-8dd2-4fbe-b878-7edba075b872\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=20206555-8dd2-4fbe-b878-7edba075b872" ], "report_names": [ "listgroups.cgi?u=20206555-8dd2-4fbe-b878-7edba075b872" ], "threat_actors": [ { "id": "6158a31d-091c-4a5a-a82b-938e3d0b0e87", "created_at": "2023-11-17T02:00:07.61151Z", "updated_at": "2026-04-10T02:00:03.459947Z", "deleted_at": null, "main_name": "Earth Kitsune", "aliases": [], "source_name": "MISPGALAXY:Earth Kitsune", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3f6650a3-9f50-47c4-bd7a-008b63bde191", "created_at": "2022-10-25T16:07:23.949232Z", "updated_at": "2026-04-10T02:00:04.803815Z", "deleted_at": null, "main_name": "Operation Earth Kitsune", "aliases": [], "source_name": "ETDA:Operation Earth Kitsune", "tools": [ "SLUB", "WhiskerSpy", "agfSpy", "dneSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439062, "ts_updated_at": 1775791917, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c4f67754e2eebdb538d25e7f661c89f6151845a5.pdf", "text": "https://archive.orkl.eu/c4f67754e2eebdb538d25e7f661c89f6151845a5.txt", "img": "https://archive.orkl.eu/c4f67754e2eebdb538d25e7f661c89f6151845a5.jpg" } }