{
	"id": "c8ee92f2-0388-4727-8635-6c372bf1e624",
	"created_at": "2026-04-06T00:19:40.693674Z",
	"updated_at": "2026-04-10T03:24:30.661309Z",
	"deleted_at": null,
	"sha1_hash": "c5a9db371145fa66f151910f2ca7bfbf718280bf",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43253,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 00:05:07 UTC\n APT group: WIP26\nNames WIP26 (SentinelLabs)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2022\nDescription\n(SentinelLabs) In collaboration with QGroup GmbH, SentinelLabs is monitoring a threat\nactivity we track as WIP26. The threat actor behind WIP26 has been targeting\ntelecommunication providers in the Middle East. WIP26 is characterized by the abuse of\npublic Cloud infrastructure – Microsoft 365 Mail, Microsoft Azure, Google Firebase, and\nDropbox – for malware delivery, data exfiltration, and C2 purposes.\nThe WIP26 activity is initiated by precision targeting of employees through WhatsApp\nmessages that contain Dropbox links to a malware loader. Tricking employees into\ndownloading and executing the loader ultimately leads to the deployment of backdoors that\nleverage Microsoft 365 Mail and Google Firebase instances as C2 servers. We refer to these\nbackdoors as CMD365 and CMDEmber, respectively. The main functionality of CMD365 and\nCMDEmber is to execute attacker-provided system commands using the Windows command\ninterpreter.\nObserved\nSectors: Telecommunications.\nCountries: Middle East.\nTools used CMD365, CMDEmber.\nInformation\nLast change to this card: 17 February 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3561e787-a13e-4191-83c1-86d37fb63412\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3561e787-a13e-4191-83c1-86d37fb63412\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3561e787-a13e-4191-83c1-86d37fb63412"
	],
	"report_names": [
		"showcard.cgi?u=3561e787-a13e-4191-83c1-86d37fb63412"
	],
	"threat_actors": [
		{
			"id": "521f07f0-a313-4ce7-9a1c-3c81b74e82d9",
			"created_at": "2023-02-18T02:04:24.772216Z",
			"updated_at": "2026-04-10T02:00:04.981398Z",
			"deleted_at": null,
			"main_name": "WIP26",
			"aliases": [],
			"source_name": "ETDA:WIP26",
			"tools": [
				"CMD365",
				"CMDEmber"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434780,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c5a9db371145fa66f151910f2ca7bfbf718280bf.pdf",
		"text": "https://archive.orkl.eu/c5a9db371145fa66f151910f2ca7bfbf718280bf.txt",
		"img": "https://archive.orkl.eu/c5a9db371145fa66f151910f2ca7bfbf718280bf.jpg"
	}
}