{
	"id": "9c022c1c-f826-4d4a-b758-b5c2f0a714d2",
	"created_at": "2026-04-06T00:15:21.099034Z",
	"updated_at": "2026-04-10T03:33:16.352915Z",
	"deleted_at": null,
	"sha1_hash": "fae171968657986c949e475cb73b7a9a9c7c65da",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46920,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:52:17 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool TomBerBil\n Tool: TomBerBil\nNames TomBerBil\nCategory Malware\nType Credential stealer\nDescription\n(Kaspersky) In addition to the data that attackers can collect from hosts, they are also\ninterested in obtaining access to all online services that target users have access to. For an\nadversary with high privileges in the system, one fairly easy way to do this is to decrypt\nbrowser data containing cookies and passwords that the user may have saved to autofill\nauthentication forms.\nInformation Last change to this tool card: 23 April 2024\nDownload this tool card in JSON format\nAll groups using tool TomBerBil\nChanged Name Country Observed\nAPT groups\n ToddyCat 2020-2024\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f0315dad-1ec0-4cfc-9c05-762dd23259d6\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f0315dad-1ec0-4cfc-9c05-762dd23259d6\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f0315dad-1ec0-4cfc-9c05-762dd23259d6"
	],
	"report_names": [
		"listgroups.cgi?u=f0315dad-1ec0-4cfc-9c05-762dd23259d6"
	],
	"threat_actors": [
		{
			"id": "d67df52c-a901-4d55-b287-321818500789",
			"created_at": "2024-04-24T02:00:49.591518Z",
			"updated_at": "2026-04-10T02:00:05.314272Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"ToddyCat"
			],
			"source_name": "MITRE:ToddyCat",
			"tools": [
				"Cobalt Strike",
				"LoFiSe",
				"China Chopper",
				"netstat",
				"Pcexter",
				"Samurai"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5",
			"created_at": "2022-10-25T16:07:24.329539Z",
			"updated_at": "2026-04-10T02:00:04.939013Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"Operation Stayin’ Alive",
				"Storm-0247"
			],
			"source_name": "ETDA:ToddyCat",
			"tools": [
				"CHINACHOPPER",
				"China Chopper",
				"Cuthead",
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"Krong",
				"LoFiSe",
				"Ngrok",
				"PcExter",
				"PsExec",
				"SIMPOBOXSPY",
				"Samurai",
				"SinoChopper",
				"SoftEther VPN",
				"TomBerBil",
				"WAExp"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "60d96824-1767-4b97-a6c7-7e9527458007",
			"created_at": "2023-01-06T13:46:39.378701Z",
			"updated_at": "2026-04-10T02:00:03.307846Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"Websiic"
			],
			"source_name": "MISPGALAXY:ToddyCat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434521,
	"ts_updated_at": 1775791996,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fae171968657986c949e475cb73b7a9a9c7c65da.pdf",
		"text": "https://archive.orkl.eu/fae171968657986c949e475cb73b7a9a9c7c65da.txt",
		"img": "https://archive.orkl.eu/fae171968657986c949e475cb73b7a9a9c7c65da.jpg"
	}
}