{
	"id": "ed4f8d2e-4791-4432-8d9c-a47a17beb5cc",
	"created_at": "2026-04-06T00:18:46.74724Z",
	"updated_at": "2026-04-10T03:24:34.031296Z",
	"deleted_at": null,
	"sha1_hash": "edb05ae728d7eee227263667f46c655afdfb4216",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48246,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:51:05 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool THINSPOOL\r\n Tool: THINSPOOL\r\nNames THINSPOOL\r\nCategory Malware\r\nType Dropper\r\nDescription\r\n(Mandiant) THINSPOOL is a dropper written in shell script that writes the web shell\r\nLIGHTWIRE to a legitimate CS file. THINSPOOL will re-add the malicious web shell code to\r\nlegitimate files after an update, allowing UNC5221 to persist on the compromised devices.\r\nTHINSPOOL attempts to evade Ivanti’s Integrity Checker but Mandiant observed this attempt\r\nfailed.\r\nInformation \u003chttps://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day\u003e\r\nLast change to this tool card: 17 January 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool THINSPOOL\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC5221, UTA0178 2022-Mar 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=135f79b2-1787-46e8-b20b-eaf570ee0f44\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=135f79b2-1787-46e8-b20b-eaf570ee0f44\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=135f79b2-1787-46e8-b20b-eaf570ee0f44"
	],
	"report_names": [
		"listgroups.cgi?u=135f79b2-1787-46e8-b20b-eaf570ee0f44"
	],
	"threat_actors": [
		{
			"id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8",
			"created_at": "2024-01-18T02:02:34.643994Z",
			"updated_at": "2026-04-10T02:00:04.959645Z",
			"deleted_at": null,
			"main_name": "UNC5221",
			"aliases": [
				"UNC5221",
				"UTA0178"
			],
			"source_name": "ETDA:UNC5221",
			"tools": [
				"BRICKSTORM",
				"GIFTEDVISITOR",
				"GLASSTOKEN",
				"LIGHTWIRE",
				"PySoxy",
				"THINSPOOL",
				"WARPWIRE",
				"WIREFIRE",
				"ZIPLINE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9",
			"created_at": "2024-01-12T02:00:04.33082Z",
			"updated_at": "2026-04-10T02:00:03.517264Z",
			"deleted_at": null,
			"main_name": "UTA0178",
			"aliases": [
				"UNC5221",
				"Red Dev 61"
			],
			"source_name": "MISPGALAXY:UTA0178",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434726,
	"ts_updated_at": 1775791474,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/edb05ae728d7eee227263667f46c655afdfb4216.pdf",
		"text": "https://archive.orkl.eu/edb05ae728d7eee227263667f46c655afdfb4216.txt",
		"img": "https://archive.orkl.eu/edb05ae728d7eee227263667f46c655afdfb4216.jpg"
	}
}