{
	"id": "d20881d2-c250-4c2b-880b-56ab12962af9",
	"created_at": "2026-04-06T01:32:07.085549Z",
	"updated_at": "2026-04-10T03:34:57.841798Z",
	"deleted_at": null,
	"sha1_hash": "ef250a0343d8b46e3e0b284f0281a93564f2d2a3",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49076,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:35:33 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Tofu Backdoor\r\n Tool: Tofu Backdoor\r\nNames Tofu Backdoor\r\nCategory Malware\r\nType Reconnaissance, Backdoor\r\nDescription\r\n(Cylance) Based upon Cylance’s observations, the Tofu Backdoor was deployed in far fewer\r\ninstances than the Ham Backdoor. It is a proxy-aware, fully-featured backdoor programmed in\r\nC++ and compiled using Visual Studio 2015. The Tofu backdoor makes extensive use of\r\nthreading to perform individual tasks within the code. It communicates with its C2 server\r\nthrough HTTP over nonstandard TCP ports, and will send encoded information containing\r\nbasic system information back, including hostname, username, and operating system within\r\nthe content of the POST.\r\nInformation\r\n\u003chttps://threatvector.cylance.com/en_us/home/the-deception-project-a-new-japanese-centric-threat.html\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Tofu Backdoor\r\nChanged Name Country Observed\r\nAPT groups\r\n  Snake Wine 2016  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=385b9f04-1c85-407b-882f-3a0f08857a3b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=385b9f04-1c85-407b-882f-3a0f08857a3b\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=385b9f04-1c85-407b-882f-3a0f08857a3b"
	],
	"report_names": [
		"listgroups.cgi?u=385b9f04-1c85-407b-882f-3a0f08857a3b"
	],
	"threat_actors": [
		{
			"id": "42a7c8ec-e6f6-4460-9ad4-0ca2d3210135",
			"created_at": "2022-10-25T16:07:24.203518Z",
			"updated_at": "2026-04-10T02:00:04.898194Z",
			"deleted_at": null,
			"main_name": "Snake Wine",
			"aliases": [],
			"source_name": "ETDA:Snake Wine",
			"tools": [
				"ChChes",
				"HAYMAKER",
				"Ham Backdoor",
				"Tofu Backdoor"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "029f7e65-fec8-481e-a7ef-9b5e53ef2371",
			"created_at": "2023-01-06T13:46:38.674255Z",
			"updated_at": "2026-04-10T02:00:03.063656Z",
			"deleted_at": null,
			"main_name": "Snake Wine",
			"aliases": [],
			"source_name": "MISPGALAXY:Snake Wine",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439127,
	"ts_updated_at": 1775792097,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef250a0343d8b46e3e0b284f0281a93564f2d2a3.pdf",
		"text": "https://archive.orkl.eu/ef250a0343d8b46e3e0b284f0281a93564f2d2a3.txt",
		"img": "https://archive.orkl.eu/ef250a0343d8b46e3e0b284f0281a93564f2d2a3.jpg"
	}
}