{
	"id": "4683d0b3-d5be-4ad9-8cfc-64ae022f7165",
	"created_at": "2026-04-06T00:12:22.111962Z",
	"updated_at": "2026-04-10T03:27:16.235078Z",
	"deleted_at": null,
	"sha1_hash": "f86eaab24d0e3c4fb472e374bdce85320fe13f82",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48428,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:25:21 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Chrommme\n Tool: Chrommme\nNames Chrommme\nCategory Malware\nType Backdoor\nDescription\n(ESET) Chrommme is a backdoor we found during our adventures in the Gelsemium\necosystem. Code similarities with Gelsemium components are almost nonexistent but\nsmall indicators were found during the analysis that leads us to believe that it’s\nsomehow related to the group. The same C\u0026C server was found in both Gelsevirine and\nChrommme, both are using two C\u0026C servers. Chrommme was found on an\norganization’s machine also compromised by Gelsemium group.\nInformation MITRE ATT\u0026CK Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Chrommme\nChanged Name Country Observed\nAPT groups\n Gelsemium 2014-2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4a5dae1a-7469-41e9-8d4d-5f9ccc18b671\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4a5dae1a-7469-41e9-8d4d-5f9ccc18b671\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4a5dae1a-7469-41e9-8d4d-5f9ccc18b671"
	],
	"report_names": [
		"listgroups.cgi?u=4a5dae1a-7469-41e9-8d4d-5f9ccc18b671"
	],
	"threat_actors": [
		{
			"id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424",
			"created_at": "2023-01-06T13:46:39.290101Z",
			"updated_at": "2026-04-10T02:00:03.275981Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"狼毒草"
			],
			"source_name": "MISPGALAXY:Gelsemium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77874718-7ad2-4d15-9831-10935ab9bcbe",
			"created_at": "2022-10-25T15:50:23.619911Z",
			"updated_at": "2026-04-10T02:00:05.349462Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Gelsemium"
			],
			"source_name": "MITRE:Gelsemium",
			"tools": [
				"Gelsemium",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b5550c4e-943a-45ea-bf67-875b989ee4c4",
			"created_at": "2022-10-25T16:07:23.675771Z",
			"updated_at": "2026-04-10T02:00:04.707782Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Operation NightScout",
				"Operation TooHash"
			],
			"source_name": "ETDA:Gelsemium",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"Chrommme",
				"Cobalt Strike",
				"CobaltStrike",
				"FireWood",
				"Gelsemine",
				"Gelsenicine",
				"Gelsevirine",
				"JuicyPotato",
				"OwlProxy",
				"Owowa",
				"SAMRID",
				"SessionManager",
				"SinoChopper",
				"SpoolFool",
				"SweetPotato",
				"WolfsBane",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434342,
	"ts_updated_at": 1775791636,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f86eaab24d0e3c4fb472e374bdce85320fe13f82.pdf",
		"text": "https://archive.orkl.eu/f86eaab24d0e3c4fb472e374bdce85320fe13f82.txt",
		"img": "https://archive.orkl.eu/f86eaab24d0e3c4fb472e374bdce85320fe13f82.jpg"
	}
}