{
	"id": "fcc0430f-edd0-4c4e-9886-7e15342dd9bb",
	"created_at": "2026-04-06T03:36:41.199159Z",
	"updated_at": "2026-04-10T03:36:17.232084Z",
	"deleted_at": null,
	"sha1_hash": "f7241976acef8f11cfa68d824b234c5c8201fa12",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47151,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 03:20:43 UTC\n APT group: TheWizards\nNames TheWizards (ESET)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2022\nDescription\n(ESET) In 2022, we discovered the activity of a China-aligned APT group that we have named\nTheWizards. We analyzed the custom malware and tools developed and used by TheWizards:\nthe IPv6 AitM tool we’ve named Spellbinder, which allows the attackers to redirect the update\nprotocols of legitimate Chinese software to malicious servers, where the software is tricked\ninto downloading and executing fake updates on victims’ machines, and the malicious\ncomponents that launch the backdoor that we have named WizardNet.\nESET continues tracking TheWizards independently of Earth Minotaur. While both threat\nactors use DarkNights/DarkNimbus, according to ESET telemetry TheWizards has focused on\ndifferent targets and uses infrastructure and additional tools (for example, Spellbinder and\nWizardNet) not observed to be used by Earth Minotaur.\nObserved Countries: Cambodia, China, Hong Kong, Philippines, UAE.\nTools used Spellbinder, WizardNet.\nInformation\nLast change to this card: 27 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=81d87955-b54e-425a-8936-111928dc637e\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=81d87955-b54e-425a-8936-111928dc637e\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=81d87955-b54e-425a-8936-111928dc637e"
	],
	"report_names": [
		"showcard.cgi?u=81d87955-b54e-425a-8936-111928dc637e"
	],
	"threat_actors": [
		{
			"id": "86adb59b-9acc-4dac-b7f1-7ac9214c4b97",
			"created_at": "2025-06-29T02:01:57.19934Z",
			"updated_at": "2026-04-10T02:00:04.936171Z",
			"deleted_at": null,
			"main_name": "TheWizards",
			"aliases": [],
			"source_name": "ETDA:TheWizards",
			"tools": [
				"Spellbinder",
				"WizardNet"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "dc813ffb-16bd-46f7-9d8f-8e93089f00c1",
			"created_at": "2024-12-28T02:01:54.748213Z",
			"updated_at": "2026-04-10T02:00:04.669444Z",
			"deleted_at": null,
			"main_name": "Earth Minotaur",
			"aliases": [],
			"source_name": "ETDA:Earth Minotaur",
			"tools": [
				"DarkNimbus",
				"MOONSHINE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "06f59286-7fc1-4cae-8088-a26543643247",
			"created_at": "2025-11-07T02:00:03.494055Z",
			"updated_at": "2026-04-10T02:00:03.893442Z",
			"deleted_at": null,
			"main_name": "TheWizards",
			"aliases": [],
			"source_name": "MISPGALAXY:TheWizards",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775446601,
	"ts_updated_at": 1775792177,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7241976acef8f11cfa68d824b234c5c8201fa12.pdf",
		"text": "https://archive.orkl.eu/f7241976acef8f11cfa68d824b234c5c8201fa12.txt",
		"img": "https://archive.orkl.eu/f7241976acef8f11cfa68d824b234c5c8201fa12.jpg"
	}
}