{
	"id": "33ac6797-9252-4247-b551-641b09340fdb",
	"created_at": "2026-04-06T00:17:23.998016Z",
	"updated_at": "2026-04-10T03:21:34.188224Z",
	"deleted_at": null,
	"sha1_hash": "00e2f794209c36509b939ea8bd3b706dc4d1fa23",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48016,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:33:38 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Soraya\n Tool: Soraya\nNames Soraya\nCategory Malware\nType POS malware, Reconnaissance, Credential stealer\nDescription\n(Trend Micro) Soraya is a Dexter-and-Zeus-inspired PoS RAM scraper variant first discovered\nin June 2014. It is custom-packed to obfuscate its code and to make it difficult for security\nresearchers to reverse-engineer its binary. When first executed, Soraya injects its code into\nseveral running processes. It borrowed tricks from ZeuS and hooks the NtResumeThread API,\nwhich is called by Windows to execute new processes. It then injects its code into all newly\ncreated processes. It also copies itself to the %APPDATA% directory and adds itself to an\nAuto Start runkey to remain persistent.\nInformation\nMalpedia Last change to this tool card: 25 May 2020\nDownload this tool card in JSON format\nAll groups using tool Soraya\nChanged Name Country Observed\nUnknown groups\n _[ Interesting malware not linked to an actor yet ]_\n1 group listed (0 APT, 0 other, 1 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=223cafbc-5cf7-4767-aef1-d4033e5b661b\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=223cafbc-5cf7-4767-aef1-d4033e5b661b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=223cafbc-5cf7-4767-aef1-d4033e5b661b\r\nPage 2 of 2\n\nUnknown groups _[ Interesting malware not linked to an actor yet ]_\n1 group listed (0 APT, 0 other, 1 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=223cafbc-5cf7-4767-aef1-d4033e5b661b"
	],
	"report_names": [
		"listgroups.cgi?u=223cafbc-5cf7-4767-aef1-d4033e5b661b"
	],
	"threat_actors": [],
	"ts_created_at": 1775434643,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00e2f794209c36509b939ea8bd3b706dc4d1fa23.pdf",
		"text": "https://archive.orkl.eu/00e2f794209c36509b939ea8bd3b706dc4d1fa23.txt",
		"img": "https://archive.orkl.eu/00e2f794209c36509b939ea8bd3b706dc4d1fa23.jpg"
	}
}