{
	"id": "b03947e1-52e7-4d55-8542-91b40bf53005",
	"created_at": "2026-04-06T00:16:01.781156Z",
	"updated_at": "2026-04-10T03:38:09.738842Z",
	"deleted_at": null,
	"sha1_hash": "eea14936cdef6b98a768524cd848d000dbab62b0",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49933,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:59:58 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool GLASSES\n Tool: GLASSES\nNames\nGLASSES\nWordpress Bruteforcer\nCategory Malware\nType Downloader\nDescription\n(Citizen Lab) The dropped executable connects to a website and downloads a single HTML\npage. The site appears to be part of a legitimate website for an eyeglasses company, suggesting\nthat it has been compromised.\nThe accessed page contains an anchor with an encoded command in it. The malware looks for\nthe string in the anchor tag with the target NewRef, and then decodes it to a command. The\nlink itself is empty, so that there is nothing to click on and it is invisible on the page. Another\npage on the same site, aboutus.htm, contains a different command although the URL is not\napparently used by this binary.\nLooking through the malware code, it is evident that this is a simple downloader with only two\ncommands.\nInformation Malpedia Last change to this tool card: 28 December 2022\nDownload this tool card in JSON format\nAll groups using tool GLASSES\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=36aef054-c9d1-43e1-bdcd-973f18961dda\nPage 1 of 2\n\nComment Crew, APT 1 2006-May 2018\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=36aef054-c9d1-43e1-bdcd-973f18961dda\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=36aef054-c9d1-43e1-bdcd-973f18961dda\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=36aef054-c9d1-43e1-bdcd-973f18961dda"
	],
	"report_names": [
		"listgroups.cgi?u=36aef054-c9d1-43e1-bdcd-973f18961dda"
	],
	"threat_actors": [
		{
			"id": "dabb6779-f72e-40ca-90b7-1810ef08654d",
			"created_at": "2022-10-25T15:50:23.463113Z",
			"updated_at": "2026-04-10T02:00:05.369301Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"APT1",
				"Comment Crew",
				"Comment Group",
				"Comment Panda"
			],
			"source_name": "MITRE:APT1",
			"tools": [
				"Seasalt",
				"ipconfig",
				"Cachedump",
				"PsExec",
				"GLOOXMAIL",
				"Lslsass",
				"PoisonIvy",
				"WEBC2",
				"Mimikatz",
				"gsecdump",
				"Pass-The-Hash Toolkit",
				"Tasklist",
				"xCmd",
				"pwdump"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b",
			"created_at": "2022-10-25T16:07:23.480196Z",
			"updated_at": "2026-04-10T02:00:04.626125Z",
			"deleted_at": null,
			"main_name": "Comment Crew",
			"aliases": [
				"APT 1",
				"BrownFox",
				"Byzantine Candor",
				"Byzantine Hades",
				"Comment Crew",
				"Comment Panda",
				"G0006",
				"GIF89a",
				"Group 3",
				"Operation Oceansalt",
				"Operation Seasalt",
				"Operation Siesta",
				"Shanghai Group",
				"TG-8223"
			],
			"source_name": "ETDA:Comment Crew",
			"tools": [
				"Auriga",
				"Cachedump",
				"Chymine",
				"CookieBag",
				"Darkmoon",
				"GDOCUPLOAD",
				"GLOOXMAIL",
				"GREENCAT",
				"Gen:Trojan.Heur.PT",
				"GetMail",
				"Hackfase",
				"Hacksfase",
				"Helauto",
				"Kurton",
				"LETSGO",
				"LIGHTBOLT",
				"LIGHTDART",
				"LOLBAS",
				"LOLBins",
				"LONGRUN",
				"Living off the Land",
				"Lslsass",
				"MAPIget",
				"ManItsMe",
				"Mimikatz",
				"MiniASP",
				"Oceansalt",
				"Pass-The-Hash Toolkit",
				"Poison Ivy",
				"ProcDump",
				"Riodrv",
				"SPIVY",
				"Seasalt",
				"ShadyRAT",
				"StarsyPound",
				"TROJAN.COOKIES",
				"TROJAN.FOXY",
				"TabMsgSQL",
				"Tarsip",
				"Trojan.GTALK",
				"WebC2",
				"WebC2-AdSpace",
				"WebC2-Ausov",
				"WebC2-Bolid",
				"WebC2-Cson",
				"WebC2-DIV",
				"WebC2-GreenCat",
				"WebC2-Head",
				"WebC2-Kt3",
				"WebC2-Qbp",
				"WebC2-Rave",
				"WebC2-Table",
				"WebC2-UGX",
				"WebC2-Yahoo",
				"Wordpress Bruteforcer",
				"bangat",
				"gsecdump",
				"pivy",
				"poisonivy",
				"pwdump",
				"zxdosml"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434561,
	"ts_updated_at": 1775792289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eea14936cdef6b98a768524cd848d000dbab62b0.pdf",
		"text": "https://archive.orkl.eu/eea14936cdef6b98a768524cd848d000dbab62b0.txt",
		"img": "https://archive.orkl.eu/eea14936cdef6b98a768524cd848d000dbab62b0.jpg"
	}
}