{
	"id": "04ffafaa-4c1b-491f-8461-dc7593c0b4e2",
	"created_at": "2026-04-06T00:15:02.734061Z",
	"updated_at": "2026-04-10T03:31:49.122616Z",
	"deleted_at": null,
	"sha1_hash": "dca2a0ecf921f98d7a2cd706e7fe262e706a5563",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47753,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:35:40 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool OpGhoul\n Tool: OpGhoul\nNames OpGhoul\nCategory Malware\nType Reconnaissance, Backdoor, Keylogger, Credential stealer, Info stealer\nDescription\n(Kaspersky) The malware is based on the Hawkeye commercial spyware, which provides a\nvariety of tools for the attackers, in addition to malware anonymity from attribution. It initiates\nby self-deploying and configuring persistence, while using anti-debugging and timeout\ntechniques, then starts collecting interesting data from the victim’s device, including:\n• Keystrokes\n• Clipboard data\n• FileZilla ftp server credentials\n• Account data from local browsers\n• Account data from local messaging clients (Paltalk, Google talk, AIM…)\n• Account data from local email clients (Outlook, Windows Live mail…)\n• License information of some installed applications\nInformation\nMalpedia Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool OpGhoul\nChanged Name Country Observed\nAPT groups\n Operation Ghoul [Unknown] 2016\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=95f5b536-a369-481f-a9da-71b6a4dc16ed\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=95f5b536-a369-481f-a9da-71b6a4dc16ed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=95f5b536-a369-481f-a9da-71b6a4dc16ed\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=95f5b536-a369-481f-a9da-71b6a4dc16ed"
	],
	"report_names": [
		"listgroups.cgi?u=95f5b536-a369-481f-a9da-71b6a4dc16ed"
	],
	"threat_actors": [
		{
			"id": "373f10d9-9fdb-4451-b158-da634c6bfb22",
			"created_at": "2024-02-06T02:00:04.148051Z",
			"updated_at": "2026-04-10T02:00:03.579412Z",
			"deleted_at": null,
			"main_name": "Operation Ghoul",
			"aliases": [],
			"source_name": "MISPGALAXY:Operation Ghoul",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d5919968-4173-411e-801d-9a1a3bd6a10c",
			"created_at": "2022-10-25T16:07:23.959228Z",
			"updated_at": "2026-04-10T02:00:04.808278Z",
			"deleted_at": null,
			"main_name": "Operation Ghoul",
			"aliases": [],
			"source_name": "ETDA:Operation Ghoul",
			"tools": [
				"OpGhoul"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434502,
	"ts_updated_at": 1775791909,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dca2a0ecf921f98d7a2cd706e7fe262e706a5563.pdf",
		"text": "https://archive.orkl.eu/dca2a0ecf921f98d7a2cd706e7fe262e706a5563.txt",
		"img": "https://archive.orkl.eu/dca2a0ecf921f98d7a2cd706e7fe262e706a5563.jpg"
	}
}