{ "id": "6b4043f4-43df-42dc-bb8f-1543b891b69d", "created_at": "2026-04-06T00:19:50.723664Z", "updated_at": "2026-04-10T03:24:09.663551Z", "deleted_at": null, "sha1_hash": "dde4f16731e7d9589726291d30ebd36e7d67bd5b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50838, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:20:13 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SPINNER\n Tool: SPINNER\nNames SPINNER\nCategory Malware\nType Reconnaissance, Backdoor, Exfiltration\nDescription\n(Check Point) Many of the functions inside the final payload share similar logic with the\nSPINNER variant described above, but the payload lacks the compiler-level obfuscations\nobserved in the newer campaign making it easier to analyze. Furthermore, the previous version\nof the backdoor contains additional features. This is another indication that the initial\nSPINNER backdoor version we observed is only a part of the bigger payload. It’s likely the\nactors eventually split the payload and only equipped the first stage of the main backdoor with\nessential functions: enumeration of the victim’s machine and execution of the next stage\npayloads received from the C\u0026C server.\nThe full version of the SPINNER backdoor contains the following capabilities:\n• Collects information about the infected machine (enumerate disks, files).\n• Exfiltrates files from the infected machine and manipulates the local files.\n• Runs OS commands and executes downloaded payload, as part of typical backdoor\ncapabilities.\nInformation\nLast change to this tool card: 19 July 2022\nDownload this tool card in JSON format\nAll groups using tool SPINNER\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=783d3b2e-0298-469d-84b5-e10fa395d6e3\nPage 1 of 2\n\nTwisted Panda 2021  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=783d3b2e-0298-469d-84b5-e10fa395d6e3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=783d3b2e-0298-469d-84b5-e10fa395d6e3\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=783d3b2e-0298-469d-84b5-e10fa395d6e3" ], "report_names": [ "listgroups.cgi?u=783d3b2e-0298-469d-84b5-e10fa395d6e3" ], "threat_actors": [ { "id": "7d54276c-2f4f-4458-905f-d96510584627", "created_at": "2022-10-25T16:07:24.352336Z", "updated_at": "2026-04-10T02:00:04.951012Z", "deleted_at": null, "main_name": "Twisted Panda", "aliases": [], "source_name": "ETDA:Twisted Panda", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434790, "ts_updated_at": 1775791449, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dde4f16731e7d9589726291d30ebd36e7d67bd5b.pdf", "text": "https://archive.orkl.eu/dde4f16731e7d9589726291d30ebd36e7d67bd5b.txt", "img": "https://archive.orkl.eu/dde4f16731e7d9589726291d30ebd36e7d67bd5b.jpg" } }