{
	"id": "b307a221-ca2e-4ba2-afe4-6961235584a1",
	"created_at": "2026-04-06T00:19:56.921908Z",
	"updated_at": "2026-04-10T13:12:46.818992Z",
	"deleted_at": null,
	"sha1_hash": "e14d7f8598c0cd3c297d5a75c6df70e41b468223",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56035,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:53:05 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WndTest\r\n Tool: WndTest\r\nNames WndTest\r\nCategory Malware\r\nType Backdoor, Keylogger, Info stealer\r\nDescription\r\n(Cylance) WndTest is the evolution of the PVZ tool chain into a single executable. The tool chain is\r\nminimized down to a command and control communications, keystroke logging, and clipboard\r\nmonitoring. The command and control still supports upgrading, downloading, and executing of\r\napplications, as well as executing batch scripts. WndTest installs as a service and has been observed\r\nattempting to impersonate Adobe Report Service. WndTest starts using PHP servers for its command\r\nand control server, some of which are listed as defaced sites.\r\nInformation \u003chttps://www.cylance.com/content/dam/cylance/pdfs/reports/Cylance_Operation_Cleaver_Report.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool WndTest\r\nChanged Name Country Observed\r\nAPT groups\r\n  Cutting Kitten, TG-2889 2012-Mar 2016\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a93adfe0-0977-4462-b74b-eefe7ac82ff8\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a93adfe0-0977-4462-b74b-eefe7ac82ff8\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a93adfe0-0977-4462-b74b-eefe7ac82ff8"
	],
	"report_names": [
		"listgroups.cgi?u=a93adfe0-0977-4462-b74b-eefe7ac82ff8"
	],
	"threat_actors": [
		{
			"id": "49f1ada0-181f-4e89-a449-e6bc13c8c6b1",
			"created_at": "2022-10-25T15:50:23.561511Z",
			"updated_at": "2026-04-10T02:00:05.382592Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"Threat Group 2889",
				"TG-2889"
			],
			"source_name": "MITRE:Cleaver",
			"tools": [
				"Net Crawler",
				"PsExec",
				"TinyZBot",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9663cdbf-646e-4579-881a-a8ebc3aabf63",
			"created_at": "2023-01-06T13:46:38.360862Z",
			"updated_at": "2026-04-10T02:00:02.942852Z",
			"deleted_at": null,
			"main_name": "Cutting Kitten",
			"aliases": [
				"ITsecTeam"
			],
			"source_name": "MISPGALAXY:Cutting Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "217c588a-5896-4335-b9ec-a516ae2f9a7e",
			"created_at": "2022-10-25T16:07:23.513775Z",
			"updated_at": "2026-04-10T02:00:04.635263Z",
			"deleted_at": null,
			"main_name": "Cutting Kitten",
			"aliases": [
				"Cutting Kitten",
				"G0003",
				"Operation Cleaver",
				"TG-2889"
			],
			"source_name": "ETDA:Cutting Kitten",
			"tools": [
				"CsExt",
				"DistTrack",
				"IvizTech",
				"Jasus",
				"KAgent",
				"Logger Module",
				"MANGOPUNCH",
				"MPK",
				"MPKBot",
				"Net Crawler",
				"NetC",
				"PVZ-In",
				"PVZ-Out",
				"Pupy",
				"PupyRAT",
				"PvzOut",
				"Shamoon",
				"SynFlooder",
				"SysKit",
				"TinyZBot",
				"WndTest",
				"pupy",
				"zhCat",
				"zhMimikatz"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434796,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e14d7f8598c0cd3c297d5a75c6df70e41b468223.pdf",
		"text": "https://archive.orkl.eu/e14d7f8598c0cd3c297d5a75c6df70e41b468223.txt",
		"img": "https://archive.orkl.eu/e14d7f8598c0cd3c297d5a75c6df70e41b468223.jpg"
	}
}