{
	"id": "b9d53014-d7f7-4f45-89b3-df0db02e7a5e",
	"created_at": "2026-04-06T00:21:29.357526Z",
	"updated_at": "2026-04-10T13:11:26.491479Z",
	"deleted_at": null,
	"sha1_hash": "ca86e4a46722e4099a8ebadc324da49842397cd4",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48528,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:02:54 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WolfsBane\n Tool: WolfsBane\nNames WolfsBane\nCategory Malware\nType Backdoor\nDescription\n(ESET) As explained in the Attribution and connection and Technical analysis sections,\nWolfsBane is a Linux equivalent of Gelsemium’s Gelsevirine backdoor and the WolfsBane\ndropper is analogous to the Gelsemine dropper.\nInformation\nLast change to this tool card: 26 December 2024\nDownload this tool card in JSON format\nAll groups using tool WolfsBane\nChanged Name Country Observed\nAPT groups\n Gelsemium 2014-2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=572924b9-4cc2-4247-b8b4-1cb8b6c4cd6e\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=572924b9-4cc2-4247-b8b4-1cb8b6c4cd6e\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=572924b9-4cc2-4247-b8b4-1cb8b6c4cd6e"
	],
	"report_names": [
		"listgroups.cgi?u=572924b9-4cc2-4247-b8b4-1cb8b6c4cd6e"
	],
	"threat_actors": [
		{
			"id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424",
			"created_at": "2023-01-06T13:46:39.290101Z",
			"updated_at": "2026-04-10T02:00:03.275981Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"狼毒草"
			],
			"source_name": "MISPGALAXY:Gelsemium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77874718-7ad2-4d15-9831-10935ab9bcbe",
			"created_at": "2022-10-25T15:50:23.619911Z",
			"updated_at": "2026-04-10T02:00:05.349462Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Gelsemium"
			],
			"source_name": "MITRE:Gelsemium",
			"tools": [
				"Gelsemium",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b5550c4e-943a-45ea-bf67-875b989ee4c4",
			"created_at": "2022-10-25T16:07:23.675771Z",
			"updated_at": "2026-04-10T02:00:04.707782Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Operation NightScout",
				"Operation TooHash"
			],
			"source_name": "ETDA:Gelsemium",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"Chrommme",
				"Cobalt Strike",
				"CobaltStrike",
				"FireWood",
				"Gelsemine",
				"Gelsenicine",
				"Gelsevirine",
				"JuicyPotato",
				"OwlProxy",
				"Owowa",
				"SAMRID",
				"SessionManager",
				"SinoChopper",
				"SpoolFool",
				"SweetPotato",
				"WolfsBane",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434889,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ca86e4a46722e4099a8ebadc324da49842397cd4.pdf",
		"text": "https://archive.orkl.eu/ca86e4a46722e4099a8ebadc324da49842397cd4.txt",
		"img": "https://archive.orkl.eu/ca86e4a46722e4099a8ebadc324da49842397cd4.jpg"
	}
}