{
	"id": "ccd4ff10-89a0-4470-8393-0a22cc8e9ba1",
	"created_at": "2026-04-06T00:13:16.792712Z",
	"updated_at": "2026-04-10T13:12:56.498686Z",
	"deleted_at": null,
	"sha1_hash": "d68e73a2d845d253074fa7865ea175b6d6333db6",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48458,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:22:45 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CASTLETAP\n Tool: CASTLETAP\nNames CASTLETAP\nCategory Malware\nType Backdoor\nDescription\n(Mandiant) Analysis on the FortiGate firewalls identified an additional malicious file\n/bin/fgfm. Analysis of /bin/fgfm determined it to be a passive backdoor, named CASTLETAP,\nthat listened for a specialized ICMP packet for activation. The threat actor likely named the\nfile ‘fgfm’ in an attempt to disguise the backdoor as the legitimate service ‘fgfmd’ which\nfacilitates communication between the FortiManager and FortiGate firewalls.\nOnce executed, CASTLETAP created a raw promiscuous socket to sniff network traffic.\nCASTLETAP then filtered and XOR decoded a 9-byte magic activation string in the payload\nof an ICMP echo request packet.\nInformation Last change to this tool card: 26 August 2024\nDownload this tool card in JSON format\nAll groups using tool CASTLETAP\nChanged Name Country Observed\nAPT groups\n UNC3886 2021-Early 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cc32e2b8-7562-4241-929f-450ed69be9cb\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cc32e2b8-7562-4241-929f-450ed69be9cb\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cc32e2b8-7562-4241-929f-450ed69be9cb"
	],
	"report_names": [
		"listgroups.cgi?u=cc32e2b8-7562-4241-929f-450ed69be9cb"
	],
	"threat_actors": [
		{
			"id": "9df8987a-27fc-45c5-83b0-20dceb8288af",
			"created_at": "2025-10-29T02:00:51.836932Z",
			"updated_at": "2026-04-10T02:00:05.253487Z",
			"deleted_at": null,
			"main_name": "UNC3886",
			"aliases": [
				"UNC3886"
			],
			"source_name": "MITRE:UNC3886",
			"tools": [
				"MOPSLED",
				"VIRTUALPIE",
				"CASTLETAP",
				"THINCRUST",
				"VIRTUALPITA",
				"RIFLESPINE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d",
			"created_at": "2024-08-28T02:02:09.711951Z",
			"updated_at": "2026-04-10T02:00:04.957678Z",
			"deleted_at": null,
			"main_name": "UNC3886",
			"aliases": [
				"Fire Ant"
			],
			"source_name": "ETDA:UNC3886",
			"tools": [
				"BOLDMOVE",
				"CASTLETAP",
				"LOOKOVER",
				"MOPSLED",
				"RIFLESPINE",
				"TABLEFLIP",
				"THINCRUST",
				"Tiny SHell",
				"VIRTUALGATE",
				"VIRTUALPIE",
				"VIRTUALPITA",
				"VIRTUALSHINE",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37",
			"created_at": "2023-11-04T02:00:07.663664Z",
			"updated_at": "2026-04-10T02:00:03.385989Z",
			"deleted_at": null,
			"main_name": "UNC3886",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC3886",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434396,
	"ts_updated_at": 1775826776,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d68e73a2d845d253074fa7865ea175b6d6333db6.pdf",
		"text": "https://archive.orkl.eu/d68e73a2d845d253074fa7865ea175b6d6333db6.txt",
		"img": "https://archive.orkl.eu/d68e73a2d845d253074fa7865ea175b6d6333db6.jpg"
	}
}