{
	"id": "ca816ef7-91a3-400d-9ce6-b3f47628bfbc",
	"created_at": "2026-04-06T00:15:44.227903Z",
	"updated_at": "2026-04-10T13:12:06.710016Z",
	"deleted_at": null,
	"sha1_hash": "e8a15fd44d1db5f72720a46a5697e9d9aff46e36",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45384,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:17:07 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Nibatad\r\n Tool: Nibatad\r\nNames Nibatad\r\nCategory Malware\r\nType Loader, Downloader\r\nDescription\r\n(Symantec) In some attacks, Whitefly has used a second piece of custom malware,\r\nTrojan.Nibatad. Like Vcrodat, Nibatad is also a loader that leverages search order hijacking,\r\nand downloads an encrypted payload to the infected computer. And similar to Vcrodat, the\r\nNibatad payload is designed to facilitate information theft from an infected computer.\r\nWhile Vcrodat is delivered via the malicious dropper, we have yet to discover how Nibatad is\r\ndelivered to the infected computer. Why Whitefly uses these two different loaders in some of\r\nits attacks remains unknown. And while we have found both Vcrodat and Nibatad inside\r\nindividual victim organizations, we have not found any evidence of them being used\r\nsimultaneously on a single computer.\r\nInformation\r\n\u003chttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/whitefly-espionage-singapore?es_p=8774683\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Nibatad\r\nChanged Name Country Observed\r\nAPT groups\r\n  Whitefly, Mofang [Unknown] 2012-Jul 2018  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=083cff3b-8471-4192-8f4d-9dc8e52b0659\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=083cff3b-8471-4192-8f4d-9dc8e52b0659\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=083cff3b-8471-4192-8f4d-9dc8e52b0659\r\nPage 2 of 2\n\nAPT groups Whitefly, Mofang [Unknown] 2012-Jul 2018\n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=083cff3b-8471-4192-8f4d-9dc8e52b0659"
	],
	"report_names": [
		"listgroups.cgi?u=083cff3b-8471-4192-8f4d-9dc8e52b0659"
	],
	"threat_actors": [
		{
			"id": "ad5c6ff2-0646-4b29-88bb-d88c75e4866d",
			"created_at": "2022-10-25T15:50:23.662882Z",
			"updated_at": "2026-04-10T02:00:05.385067Z",
			"deleted_at": null,
			"main_name": "Whitefly",
			"aliases": [
				"Whitefly"
			],
			"source_name": "MITRE:Whitefly",
			"tools": [
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "cd9f8d91-c55c-4086-a1a0-23e78d194d46",
			"created_at": "2023-01-06T13:46:38.943454Z",
			"updated_at": "2026-04-10T02:00:03.153969Z",
			"deleted_at": null,
			"main_name": "Whitefly",
			"aliases": [],
			"source_name": "MISPGALAXY:Whitefly",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a2939cf7-76f8-4080-9ba1-42ccb4016b3b",
			"created_at": "2022-10-25T15:50:23.53328Z",
			"updated_at": "2026-04-10T02:00:05.372938Z",
			"deleted_at": null,
			"main_name": "Mofang",
			"aliases": [
				"Mofang"
			],
			"source_name": "MITRE:Mofang",
			"tools": [
				"ShimRatReporter",
				"ShimRat"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "db318f04-09e6-4c57-b0e9-3f71f0b2de94",
			"created_at": "2023-01-06T13:46:38.648954Z",
			"updated_at": "2026-04-10T02:00:03.054266Z",
			"deleted_at": null,
			"main_name": "Mofang",
			"aliases": [
				"BRONZE WALKER"
			],
			"source_name": "MISPGALAXY:Mofang",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "df9bfbf1-bb9d-492f-b381-95b9e1482267",
			"created_at": "2022-10-25T16:07:24.394491Z",
			"updated_at": "2026-04-10T02:00:04.973663Z",
			"deleted_at": null,
			"main_name": "Whitefly",
			"aliases": [
				"ATK 83",
				"Bronze Walker",
				"G0103",
				"G0107",
				"Mofang",
				"SectorM04",
				"TEMP.Mimic"
			],
			"source_name": "ETDA:Whitefly",
			"tools": [
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"Nibatad",
				"Shim RAT",
				"ShimRAT",
				"Vcrodat"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "728d2c2c-c4af-4cdc-8723-5d3aa97924a8",
			"created_at": "2024-05-01T02:03:08.002557Z",
			"updated_at": "2026-04-10T02:00:03.669852Z",
			"deleted_at": null,
			"main_name": "BRONZE WALKER",
			"aliases": [
				"CTG-2810 ",
				"Mofang "
			],
			"source_name": "Secureworks:BRONZE WALKER",
			"tools": [
				"ShimRat",
				"Superman"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434544,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e8a15fd44d1db5f72720a46a5697e9d9aff46e36.pdf",
		"text": "https://archive.orkl.eu/e8a15fd44d1db5f72720a46a5697e9d9aff46e36.txt",
		"img": "https://archive.orkl.eu/e8a15fd44d1db5f72720a46a5697e9d9aff46e36.jpg"
	}
}