{
	"id": "c1f6c156-e0ff-4f05-b66e-1c3680611e15",
	"created_at": "2026-04-06T00:12:08.165671Z",
	"updated_at": "2026-04-10T13:12:09.530011Z",
	"deleted_at": null,
	"sha1_hash": "f025529cc3f3dea9ea1a0c8993326b48a32321d3",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49155,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:48:48 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool GLASSTOKEN\n Tool: GLASSTOKEN\nNames GLASSTOKEN\nCategory Malware\nType Backdoor\nDescription\n(Volexity) UTA0178 planted webshells on external-facing web servers in order to grant\npersistence to the customer environment. They could then use the webshells to execute\ncommands on those devices. Only two variations of the same webshell were used in the\nattack.\nInformation\nMITRE ATT\u0026CK Last change to this tool card: 19 June 2024\nDownload this tool card in JSON format\nAll groups using tool GLASSTOKEN\nChanged Name Country Observed\nAPT groups\n UNC5221, UTA0178 2022-Mar 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=333f8a64-e05f-4c1c-812a-e75c7a32fa7a\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=333f8a64-e05f-4c1c-812a-e75c7a32fa7a\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=333f8a64-e05f-4c1c-812a-e75c7a32fa7a"
	],
	"report_names": [
		"listgroups.cgi?u=333f8a64-e05f-4c1c-812a-e75c7a32fa7a"
	],
	"threat_actors": [
		{
			"id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8",
			"created_at": "2024-01-18T02:02:34.643994Z",
			"updated_at": "2026-04-10T02:00:04.959645Z",
			"deleted_at": null,
			"main_name": "UNC5221",
			"aliases": [
				"UNC5221",
				"UTA0178"
			],
			"source_name": "ETDA:UNC5221",
			"tools": [
				"BRICKSTORM",
				"GIFTEDVISITOR",
				"GLASSTOKEN",
				"LIGHTWIRE",
				"PySoxy",
				"THINSPOOL",
				"WARPWIRE",
				"WIREFIRE",
				"ZIPLINE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9",
			"created_at": "2024-01-12T02:00:04.33082Z",
			"updated_at": "2026-04-10T02:00:03.517264Z",
			"deleted_at": null,
			"main_name": "UTA0178",
			"aliases": [
				"UNC5221",
				"Red Dev 61"
			],
			"source_name": "MISPGALAXY:UTA0178",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434328,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f025529cc3f3dea9ea1a0c8993326b48a32321d3.pdf",
		"text": "https://archive.orkl.eu/f025529cc3f3dea9ea1a0c8993326b48a32321d3.txt",
		"img": "https://archive.orkl.eu/f025529cc3f3dea9ea1a0c8993326b48a32321d3.jpg"
	}
}