{
	"id": "d1900444-125b-4240-b480-aa747327e2d4",
	"created_at": "2026-04-06T00:13:48.514812Z",
	"updated_at": "2026-04-10T03:33:16.326152Z",
	"deleted_at": null,
	"sha1_hash": "cb63206b59dbd7ef2f7b8ca09765ea452e46e71c",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47421,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:33:33 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WAExp\n Tool: WAExp\nNames WAExp\nCategory Malware\nType Info stealer\nDescription\n(Kaspersky) This tool is written in .NET and designed to search for and collect browser local\nstorage files containing data from the web version of WhatsApp (web.whatsapp.com). For\nusers of the WhatsApp web app, their browser local storage contains their profile details, chat\ndata, the phone numbers of users they chat with and current session data. Attackers can gain\naccess to this data by copying the browser’s local storage files.\nInformation Last change to this tool card: 23 April 2024\nDownload this tool card in JSON format\nAll groups using tool WAExp\nChanged Name Country Observed\nAPT groups\n ToddyCat 2020-2024\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a7f81307-541a-45ce-9a51-5c919bc7d9bb\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a7f81307-541a-45ce-9a51-5c919bc7d9bb\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a7f81307-541a-45ce-9a51-5c919bc7d9bb"
	],
	"report_names": [
		"listgroups.cgi?u=a7f81307-541a-45ce-9a51-5c919bc7d9bb"
	],
	"threat_actors": [
		{
			"id": "d67df52c-a901-4d55-b287-321818500789",
			"created_at": "2024-04-24T02:00:49.591518Z",
			"updated_at": "2026-04-10T02:00:05.314272Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"ToddyCat"
			],
			"source_name": "MITRE:ToddyCat",
			"tools": [
				"Cobalt Strike",
				"LoFiSe",
				"China Chopper",
				"netstat",
				"Pcexter",
				"Samurai"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5",
			"created_at": "2022-10-25T16:07:24.329539Z",
			"updated_at": "2026-04-10T02:00:04.939013Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"Operation Stayin’ Alive",
				"Storm-0247"
			],
			"source_name": "ETDA:ToddyCat",
			"tools": [
				"CHINACHOPPER",
				"China Chopper",
				"Cuthead",
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"Krong",
				"LoFiSe",
				"Ngrok",
				"PcExter",
				"PsExec",
				"SIMPOBOXSPY",
				"Samurai",
				"SinoChopper",
				"SoftEther VPN",
				"TomBerBil",
				"WAExp"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "60d96824-1767-4b97-a6c7-7e9527458007",
			"created_at": "2023-01-06T13:46:39.378701Z",
			"updated_at": "2026-04-10T02:00:03.307846Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"Websiic"
			],
			"source_name": "MISPGALAXY:ToddyCat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434428,
	"ts_updated_at": 1775791996,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb63206b59dbd7ef2f7b8ca09765ea452e46e71c.pdf",
		"text": "https://archive.orkl.eu/cb63206b59dbd7ef2f7b8ca09765ea452e46e71c.txt",
		"img": "https://archive.orkl.eu/cb63206b59dbd7ef2f7b8ca09765ea452e46e71c.jpg"
	}
}