{
	"id": "c4409c3f-3d53-45a3-8a3c-1a339fce8469",
	"created_at": "2026-04-06T01:30:47.027486Z",
	"updated_at": "2026-04-10T03:24:09.709231Z",
	"deleted_at": null,
	"sha1_hash": "e5d9e007c2aeea62909a71ab9a9ad37463f028e6",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42756,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:25:23 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CAKETAP\r\n Tool: CAKETAP\r\nNames CAKETAP\r\nCategory Malware\r\nType Rootkit\r\nDescription\r\n(Mandiant) CAKETAP is a kernel module rootkit that UNC2891 deployed on key server\r\ninfrastructure running Oracle Solaris. CAKETAP can hide network connections, processes,\r\nand files. During initialization, it removes itself from the loaded modules list and updates the\r\nlast_module_id with the previously loaded module to hide its presence.\r\nInformation \u003chttps://www.mandiant.com/resources/unc2891-overview\u003e\r\nLast change to this tool card: 03 April 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool CAKETAP\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC2891 [Unknown] 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=23885eea-e205-4f33-bfb5-2fb680c51d34\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=23885eea-e205-4f33-bfb5-2fb680c51d34\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=23885eea-e205-4f33-bfb5-2fb680c51d34"
	],
	"report_names": [
		"listgroups.cgi?u=23885eea-e205-4f33-bfb5-2fb680c51d34"
	],
	"threat_actors": [
		{
			"id": "8b0219d5-cb32-4702-a4d6-7de8beb9b7a8",
			"created_at": "2022-10-25T16:07:24.364598Z",
			"updated_at": "2026-04-10T02:00:04.955871Z",
			"deleted_at": null,
			"main_name": "UNC2891",
			"aliases": [],
			"source_name": "ETDA:UNC2891",
			"tools": [
				"BINBASH",
				"CAKETAP",
				"MIGLOGCLEANER",
				"SLAPSTICK",
				"STEELCORGI",
				"STEELHOUND",
				"SUN4ME",
				"Tiny SHell",
				"WINGCRACK",
				"WINGHOOK",
				"WIPERIGHT",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439047,
	"ts_updated_at": 1775791449,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e5d9e007c2aeea62909a71ab9a9ad37463f028e6.pdf",
		"text": "https://archive.orkl.eu/e5d9e007c2aeea62909a71ab9a9ad37463f028e6.txt",
		"img": "https://archive.orkl.eu/e5d9e007c2aeea62909a71ab9a9ad37463f028e6.jpg"
	}
}