{ "id": "861698d3-6852-4579-8dad-4a4feacfc828", "created_at": "2026-04-06T00:06:42.565545Z", "updated_at": "2026-04-10T03:33:38.148228Z", "deleted_at": null, "sha1_hash": "d360b30c32b416905e620b3b4dff7426de1484e4", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53394, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:31:52 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Sneepy\n Tool: Sneepy\nNames\nSneepy\nByeByeShell\nCategory Malware\nType Reconnaissance, Backdoor\nDescription\n(Rapid7) The main backdoor installed and executed on the victims' systems appears to be\na custom reverse shell with just a handful of features. Due to a lack of public literature\nabout this case, I decided to dub this family as ByeByeShell.\nWhen disassembling the binary you can quickly understand the mechanics of the\nbackdoor. After some quick initialization, the backdoor XORs an embedded string with\n0x9D to extract the IP address of the C\u0026C server. Subsequently it establishes a connection\nto it (generally on port 80) and checks in with some basic information about the system.\nAfter the check-in message is sent, the malware enters a continuous loop in which it will\nkeep silently waiting for commands from the open socket connection. From now on, it\nexpects some manual interaction from the attacker.\nThe supported commands are:\n• shell\n• comd\n• sleep\n• quit\n• kill\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 14 May 2020\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a14d2307-9669-4ae7-afd3-f2af09e498b2\nPage 1 of 2\n\nDownload this tool card in JSON format\r\nAll groups using tool Sneepy\r\nChanged Name Country Observed\r\nAPT groups\r\n  Confucius 2013-Aug 2021  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a14d2307-9669-4ae7-afd3-f2af09e498b2\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a14d2307-9669-4ae7-afd3-f2af09e498b2\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a14d2307-9669-4ae7-afd3-f2af09e498b2" ], "report_names": [ "listgroups.cgi?u=a14d2307-9669-4ae7-afd3-f2af09e498b2" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434002, "ts_updated_at": 1775792018, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d360b30c32b416905e620b3b4dff7426de1484e4.pdf", "text": "https://archive.orkl.eu/d360b30c32b416905e620b3b4dff7426de1484e4.txt", "img": "https://archive.orkl.eu/d360b30c32b416905e620b3b4dff7426de1484e4.jpg" } }