{
	"id": "595bc05f-905c-44e1-af43-d7568c0c909e",
	"created_at": "2026-04-06T00:12:53.864888Z",
	"updated_at": "2026-04-10T03:30:10.289561Z",
	"deleted_at": null,
	"sha1_hash": "eb1239dfd840e0a7e008120551a87bdcce47b378",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44824,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 10:48:16 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool TinyPosh\r\n Tool: TinyPosh\r\nNames TinyPosh\r\nCategory Malware\r\nType Backdoor, Downloader, Loader\r\nDescription\r\n(Group-IB) As in the first campaigns, opening the link in the email resulted in the TinyPosh\r\nTrojan being downloaded to the victim's computer. The malware achieved persistence in the\r\nsystem, obtained privileges of the account from which the Trojan was launched, and could\r\ndownload and launch the Cobalt Strike Beacon upon command. To hide the real C\u0026C address,\r\nthe hackers used the Cloudflare Workers server.\r\nInformation \u003chttps://www.group-ib.com/blog/oldgremlin\u003e\r\nLast change to this tool card: 19 October 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool TinyPosh\r\nChanged Name Country Observed\r\nAPT groups\r\n  OldGremlin 2020-Feb 2021  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2b67075b-19be-441c-860b-aab17bcd21b6\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2b67075b-19be-441c-860b-aab17bcd21b6\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2b67075b-19be-441c-860b-aab17bcd21b6"
	],
	"report_names": [
		"listgroups.cgi?u=2b67075b-19be-441c-860b-aab17bcd21b6"
	],
	"threat_actors": [
		{
			"id": "a060d952-fc4b-44df-bd0e-ee3606e79f83",
			"created_at": "2022-10-25T16:07:23.920646Z",
			"updated_at": "2026-04-10T02:00:04.790469Z",
			"deleted_at": null,
			"main_name": "OldGremlin",
			"aliases": [],
			"source_name": "ETDA:OldGremlin",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"TinyCryptor",
				"TinyNode",
				"TinyPosh",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e35c1877-f6a5-4e47-8464-ddc943e3b320",
			"created_at": "2023-11-21T02:00:07.390198Z",
			"updated_at": "2026-04-10T02:00:03.476348Z",
			"deleted_at": null,
			"main_name": "OldGremlin",
			"aliases": [],
			"source_name": "MISPGALAXY:OldGremlin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434373,
	"ts_updated_at": 1775791810,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb1239dfd840e0a7e008120551a87bdcce47b378.pdf",
		"text": "https://archive.orkl.eu/eb1239dfd840e0a7e008120551a87bdcce47b378.txt",
		"img": "https://archive.orkl.eu/eb1239dfd840e0a7e008120551a87bdcce47b378.jpg"
	}
}