{
	"id": "2f8ed7ce-5a42-40a8-933c-8e84935871bf",
	"created_at": "2026-04-06T00:15:31.697819Z",
	"updated_at": "2026-04-10T13:12:00.907228Z",
	"deleted_at": null,
	"sha1_hash": "f9ed36c11b1ee23770b578b45d3b9da617590318",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45188,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:08:00 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Deadglyph\n Tool: Deadglyph\nNames Deadglyph\nCategory Malware\nType Backdoor\nDescription\n(ESET) Deadglyph’s loading chain consists of multiple components, as illustrated in Figure 3.\nThe initial component is a registry shellcode loader, which loads shellcode from the registry.\nThis extracted shellcode, in turn, loads the native x64 part of the backdoor – the Executor. The\nExecutor subsequently loads the .NET part of the backdoor – the Orchestrator. Notably, the\nonly component on system’s disk as a file is the initial component, which is in the form of a\nDynamic Link Library (DLL). The remaining components are encrypted and stored within a\nbinary registry value.\nInformation\nLast change to this tool card: 12 October 2023\nDownload this tool card in JSON format\nAll groups using tool Deadglyph\nChanged Name Country Observed\nAPT groups\n Stealth Falcon, FruityArmor 2012-Mar 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5bb497f8-66c2-4b65-9783-c28f685cfca5\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5bb497f8-66c2-4b65-9783-c28f685cfca5\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5bb497f8-66c2-4b65-9783-c28f685cfca5"
	],
	"report_names": [
		"listgroups.cgi?u=5bb497f8-66c2-4b65-9783-c28f685cfca5"
	],
	"threat_actors": [
		{
			"id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a",
			"created_at": "2022-10-25T16:07:24.228663Z",
			"updated_at": "2026-04-10T02:00:04.905195Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"FruityArmor",
				"G0038",
				"Project Raven",
				"Stealth Falcon"
			],
			"source_name": "ETDA:Stealth Falcon",
			"tools": [
				"Deadglyph",
				"StealthFalcon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "77aedfa3-e52b-4168-8269-55ccec0946f7",
			"created_at": "2023-01-06T13:46:38.453791Z",
			"updated_at": "2026-04-10T02:00:02.981559Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"FruityArmor",
				"G0038"
			],
			"source_name": "MISPGALAXY:Stealth Falcon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bd084d2f-4233-49b1-b0e6-c7011178dae0",
			"created_at": "2022-10-25T15:50:23.544316Z",
			"updated_at": "2026-04-10T02:00:05.325921Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"Stealth Falcon"
			],
			"source_name": "MITRE:Stealth Falcon",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434531,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9ed36c11b1ee23770b578b45d3b9da617590318.pdf",
		"text": "https://archive.orkl.eu/f9ed36c11b1ee23770b578b45d3b9da617590318.txt",
		"img": "https://archive.orkl.eu/f9ed36c11b1ee23770b578b45d3b9da617590318.jpg"
	}
}