{
	"id": "55993644-b0ec-4e91-bb92-dde58ccd1c8a",
	"created_at": "2026-04-06T00:13:30.673761Z",
	"updated_at": "2026-04-10T03:27:16.236502Z",
	"deleted_at": null,
	"sha1_hash": "fc52788c2716d7705d9986e01d221fba4e24f2a1",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46729,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:14:06 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SpoolFool\n Tool: SpoolFool\nNames SpoolFool\nCategory Exploits\nDescription\n(Palo Alto) n addition to using the Potato Suite mentioned above, the attackers also used\nanother local privilege escalation (LPE) proof of concept (PoC) published on GitHub called\nSpoolFool, as shown in Figure 2 above. This tool exploits CVE-2022-21999 (Windows Print\nSpooler Elevation of Privilege Vulnerability).\nInformation Last change to this tool card: 12 October 2023\nDownload this tool card in JSON format\nAll groups using tool SpoolFool\nChanged Name Country Observed\nAPT groups\n Gelsemium 2014-2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4a4b1383-1b5e-439f-8929-291e36cd9c58\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4a4b1383-1b5e-439f-8929-291e36cd9c58\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4a4b1383-1b5e-439f-8929-291e36cd9c58"
	],
	"report_names": [
		"listgroups.cgi?u=4a4b1383-1b5e-439f-8929-291e36cd9c58"
	],
	"threat_actors": [
		{
			"id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424",
			"created_at": "2023-01-06T13:46:39.290101Z",
			"updated_at": "2026-04-10T02:00:03.275981Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"狼毒草"
			],
			"source_name": "MISPGALAXY:Gelsemium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77874718-7ad2-4d15-9831-10935ab9bcbe",
			"created_at": "2022-10-25T15:50:23.619911Z",
			"updated_at": "2026-04-10T02:00:05.349462Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Gelsemium"
			],
			"source_name": "MITRE:Gelsemium",
			"tools": [
				"Gelsemium",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b5550c4e-943a-45ea-bf67-875b989ee4c4",
			"created_at": "2022-10-25T16:07:23.675771Z",
			"updated_at": "2026-04-10T02:00:04.707782Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Operation NightScout",
				"Operation TooHash"
			],
			"source_name": "ETDA:Gelsemium",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"Chrommme",
				"Cobalt Strike",
				"CobaltStrike",
				"FireWood",
				"Gelsemine",
				"Gelsenicine",
				"Gelsevirine",
				"JuicyPotato",
				"OwlProxy",
				"Owowa",
				"SAMRID",
				"SessionManager",
				"SinoChopper",
				"SpoolFool",
				"SweetPotato",
				"WolfsBane",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434410,
	"ts_updated_at": 1775791636,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc52788c2716d7705d9986e01d221fba4e24f2a1.pdf",
		"text": "https://archive.orkl.eu/fc52788c2716d7705d9986e01d221fba4e24f2a1.txt",
		"img": "https://archive.orkl.eu/fc52788c2716d7705d9986e01d221fba4e24f2a1.jpg"
	}
}