{ "id": "db7470d8-5bf7-4073-954c-2a4c80fe6c2a", "created_at": "2026-04-06T00:09:22.557671Z", "updated_at": "2026-04-10T03:38:10.018123Z", "deleted_at": null, "sha1_hash": "c62fb79679c972655dffac0d66ae41100f3d70aa", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56528, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:14:02 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WebC2\n Tool: WebC2\nNames\nWebC2\nWebC2-AdSpace\nWebC2-Ausov\nWebC2-Bolid\nWebC2-Cson\nWebC2-DIV\nWebC2-GreenCat\nWebC2-Head\nWebC2-Kt3\nWebC2-Qbp\nWebC2-Rave\nWebC2-Table\nWebC2-UGX\nWebC2-Yahoo\nCategory Malware\nType Backdoor, Downloader\nDescription\nA WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2\nserver. It expects the Web page to contain special HTML tags; the backdoor will attempt\nto interpret the data between the tags as commands. This family of malware is capable\nof downloading and executing a file. All variants represented here are the same file with\ndifferent MD5 signatures. This malware attempts to contact its C2 once a week\n(Thursday at 10:00 AM). It looks for commands inside a set of HTML tags, part of\nwhich are in the File Strings indicator term below.\nInformation\nMITRE ATT\u0026CK Malpedia https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a1e54b72-3eed-49ae-852c-9621bdde6be3\nPage 1 of 2\n\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson\u003e\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div\u003e\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat\u003e\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head\u003e\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3\u003e\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp\u003e\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave\u003e\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table\u003e\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx\u003e\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool WebC2\r\nChanged Name Country Observed\r\nAPT groups\r\n  Comment Crew, APT 1 2006-May 2018\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a1e54b72-3eed-49ae-852c-9621bdde6be3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a1e54b72-3eed-49ae-852c-9621bdde6be3\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a1e54b72-3eed-49ae-852c-9621bdde6be3" ], "report_names": [ "listgroups.cgi?u=a1e54b72-3eed-49ae-852c-9621bdde6be3" ], "threat_actors": [ { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434162, "ts_updated_at": 1775792290, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c62fb79679c972655dffac0d66ae41100f3d70aa.pdf", "text": "https://archive.orkl.eu/c62fb79679c972655dffac0d66ae41100f3d70aa.txt", "img": "https://archive.orkl.eu/c62fb79679c972655dffac0d66ae41100f3d70aa.jpg" } }