{
	"id": "1577961e-f5ac-4774-8bd2-b858db12a0fb",
	"created_at": "2026-04-06T00:20:06.699142Z",
	"updated_at": "2026-04-10T13:11:28.136815Z",
	"deleted_at": null,
	"sha1_hash": "ecda00768c38799a0fcc5262ae68c2b31e818114",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49117,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:48:02 UTC\n APT group: Bookworm\nNames Bookworm (Palo Alto)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2015\nDescription\n(Palo Alto) Threat actors have delivered Bookworm as a payload in attacks on targets in\nThailand. Readers who are interested in this campaign should start with our first blog that lays\nout the overall functionality of the malware and introduces its many components.\nUnit 42 does not have detailed targeting information for all known Bookworm samples, but we\nare aware of attempted attacks on at least two branches of government in Thailand. We\nspeculate that other attacks delivering Bookworm were also targeting organizations in\nThailand based on the contents of the associated decoys documents, as well as several of the\ndynamic DNS domain names used to host C2 servers that contain the words “Thai” or\n“Thailand”. Analysis of compromised systems seen communicating with Bookworm C2\nservers also confirms our speculation on targeting with a majority of systems existing within\nThailand.\nObserved\nSectors: Defense, Government.\nCountries: Thailand.\nTools used Bookworm, FormerFirstRAT, Poison Ivy, PlugX, Scieron.\nInformation\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=10591398-68de-4ce0-9427-d7cd32df1407\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=10591398-68de-4ce0-9427-d7cd32df1407\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=10591398-68de-4ce0-9427-d7cd32df1407"
	],
	"report_names": [
		"showcard.cgi?u=10591398-68de-4ce0-9427-d7cd32df1407"
	],
	"threat_actors": [
		{
			"id": "8386d4af-5cca-40bb-91d7-aca5d1a0ec99",
			"created_at": "2022-10-25T16:07:23.414558Z",
			"updated_at": "2026-04-10T02:00:04.588816Z",
			"deleted_at": null,
			"main_name": "Bookworm",
			"aliases": [],
			"source_name": "ETDA:Bookworm",
			"tools": [
				"Agent.dhwf",
				"Chymine",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"FF-RAT",
				"FormerFirstRAT",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"Korplug",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"SPIVY",
				"Scieron",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav",
				"ffrat",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434806,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ecda00768c38799a0fcc5262ae68c2b31e818114.pdf",
		"text": "https://archive.orkl.eu/ecda00768c38799a0fcc5262ae68c2b31e818114.txt",
		"img": "https://archive.orkl.eu/ecda00768c38799a0fcc5262ae68c2b31e818114.jpg"
	}
}