{ "id": "e483a4b4-4de8-478d-b357-0a346bd36b98", "created_at": "2026-04-06T00:10:52.538539Z", "updated_at": "2026-04-10T03:24:34.013144Z", "deleted_at": null, "sha1_hash": "fbbddc24b7202e9066b62763d9880a53ecec6bb6", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53521, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 12:00:33 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WIREFIRE\n Tool: WIREFIRE\nNames\nWIREFIRE\nGIFTEDVISITOR\nCategory Malware\nType Backdoor\nDescription\n(Mandiant) WIREFIRE is a web shell written in Python that exists as trojanized logic to\na component of the Connect Secure appliance. WIREFIRE supports downloading files\nto the compromised device and executing arbitrary commands. It contains logic inserted\nbefore authentication that responds to specific HTTP POST requests to\n/api/v1/cav/client/visits. If formdata entry “file” exists, the web shell saves the content to\nthe device with a specified filename; if not, the web shell attempts to decode, decrypt,\nand zlib decompress any raw data existing after a GIF header to execute as a subprocess.\nThe output of the executed process will be zlib compressed, AES-encrypted with the\nsame key, and Base64-encoded before being sent back as JSON with a “message” field\nvia an HTTP 200 OK.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool WIREFIRE\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=adb432fe-3ebe-4a40-9b59-6f71f67d90c6\nPage 1 of 2\n\nAPT groups\r\n  UNC5221, UTA0178 2022-Mar 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=adb432fe-3ebe-4a40-9b59-6f71f67d90c6\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=adb432fe-3ebe-4a40-9b59-6f71f67d90c6\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=adb432fe-3ebe-4a40-9b59-6f71f67d90c6" ], "report_names": [ "listgroups.cgi?u=adb432fe-3ebe-4a40-9b59-6f71f67d90c6" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434252, "ts_updated_at": 1775791474, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fbbddc24b7202e9066b62763d9880a53ecec6bb6.pdf", "text": "https://archive.orkl.eu/fbbddc24b7202e9066b62763d9880a53ecec6bb6.txt", "img": "https://archive.orkl.eu/fbbddc24b7202e9066b62763d9880a53ecec6bb6.jpg" } }