{ "id": "6aeaea7f-5169-47f3-82ef-0368d0bca2de", "created_at": "2026-04-06T00:07:48.100636Z", "updated_at": "2026-04-10T03:28:20.614209Z", "deleted_at": null, "sha1_hash": "e6ebaae5bfd2edaae0806bc170fbced66f163e83", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49846, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 12:34:37 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WARPWIRE\r\n Tool: WARPWIRE\r\nNames WARPWIRE\r\nCategory Malware\r\nType Credential stealer\r\nDescription\r\n(Mandiant) WARPWIRE is a credential harvester written in Javascript that is embedded\r\ninto a legitimate Connect Secure file. WARPWIRE targets plaintext passwords and\r\nusernames which are submitted via a HTTP GET request to a command and control (C2)\r\nserver.\r\nWARPWIRE captures credentials submitted during the web logon to access layer 7\r\napplications, like RDP. Captured credentials are Base64-encoded with btoa() before they\r\nare submitted to the C2 via a HTTP GET request.\r\nInformation \u003chttps://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day\u003e\r\nMITRE ATT\u0026CK \u003chttps://attack.mitre.org/software/S1116\u003e\r\nLast change to this tool card: 19 June 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool WARPWIRE\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC5221, UTA0178 2022-Mar 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bceb1604-2b30-4292-af9c-aa18cb08554b\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bceb1604-2b30-4292-af9c-aa18cb08554b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bceb1604-2b30-4292-af9c-aa18cb08554b\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bceb1604-2b30-4292-af9c-aa18cb08554b" ], "report_names": [ "listgroups.cgi?u=bceb1604-2b30-4292-af9c-aa18cb08554b" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434068, "ts_updated_at": 1775791700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6ebaae5bfd2edaae0806bc170fbced66f163e83.pdf", "text": "https://archive.orkl.eu/e6ebaae5bfd2edaae0806bc170fbced66f163e83.txt", "img": "https://archive.orkl.eu/e6ebaae5bfd2edaae0806bc170fbced66f163e83.jpg" } }