{
	"id": "8400e021-c8d8-4104-80bb-a8d54c8ed7f0",
	"created_at": "2026-04-06T00:22:28.257113Z",
	"updated_at": "2026-04-10T03:36:17.206531Z",
	"deleted_at": null,
	"sha1_hash": "dce2732f81b61ef58f7903a4c71aef181d7d0fc0",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51343,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:43:11 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PylangGhost\n Tool: PylangGhost\nNames PylangGhost\nCategory Malware\nType Backdoor\nDescription\n(Talos) As the Golang variant of the RAT is already well-documented, this blog focuses on the\nPython version and the similarities between the two. The initial stage consists of a command\nline which the fake webpage tells the unsuspecting user to copy, paste and execute.\nThe command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file\ncontaining the PylangGhost modules as well as Visual Basic Script file. This script is\nresponsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan\nby running a renamed Python interpreter using the file “nvidia.py” as the Python program to\nrun.\nInformation Last change to this tool card: 28 June 2025\nDownload this tool card in JSON format\nAll groups using tool PylangGhost\nChanged Name Country Observed\nAPT groups\n ↳ Subgroup: Operation Contagious Interview 2020-Jul 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8caf0b4c-251a-44e2-a426-8975f2af0817\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8caf0b4c-251a-44e2-a426-8975f2af0817\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8caf0b4c-251a-44e2-a426-8975f2af0817"
	],
	"report_names": [
		"listgroups.cgi?u=8caf0b4c-251a-44e2-a426-8975f2af0817"
	],
	"threat_actors": [
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ef59a0d9-c556-4448-8553-ed28f315d352",
			"created_at": "2025-06-29T02:01:57.047978Z",
			"updated_at": "2026-04-10T02:00:04.744218Z",
			"deleted_at": null,
			"main_name": "Operation Contagious Interview",
			"aliases": [
				"Jasper Sleet",
				"Nickel Tapestry",
				"Operation Contagious Interview",
				"PurpleBravo",
				"Storm-0287",
				"Tenacious Pungsan",
				"UNC5267",
				"Wagemole",
				"WaterPlum"
			],
			"source_name": "ETDA:Operation Contagious Interview",
			"tools": [
				"BeaverTail",
				"InvisibleFerret",
				"OtterCookie",
				"PylangGhost"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434948,
	"ts_updated_at": 1775792177,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dce2732f81b61ef58f7903a4c71aef181d7d0fc0.pdf",
		"text": "https://archive.orkl.eu/dce2732f81b61ef58f7903a4c71aef181d7d0fc0.txt",
		"img": "https://archive.orkl.eu/dce2732f81b61ef58f7903a4c71aef181d7d0fc0.jpg"
	}
}