{ "id": "efd2c7f5-acb3-42c7-982a-31e0564010aa", "created_at": "2026-04-06T00:07:10.182163Z", "updated_at": "2026-04-10T13:12:21.020384Z", "deleted_at": null, "sha1_hash": "0e6d2551bc259d15d8d2f35a918536cc8b729b20", "title": "Mummy Spider, TA542 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 104702, "plain_text": "Mummy Spider, TA542 - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 15:58:42 UTC\r\nHome \u003e List all groups \u003e Mummy Spider, TA542\r\n Other threat group: Mummy Spider, TA542\r\nNames\r\nMummy Spider (CrowdStrike)\r\nTA542 (Proofpoint)\r\nATK 104 (Thales)\r\nMealybug (Symantec)\r\nGold Crestwood (SecureWorks)\r\nCountry [Unknown]\r\nMotivation Financial crime\r\nFirst seen 2014\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=64df4c69-c290-4579-b9de-ca5bdb786ec4\r\nPage 1 of 7\n\nDescription\n(Crowdstrike) Mummy Spider is a criminal entity linked to the core development of the\nmalware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware\nshared code with the Bugat (aka Feodo) banking Trojan. However, Mummy Spider swiftly\ndeveloped the malware’s capabilities to include an RSA key exchange for command and control\n(C2) communication and a modular architecture.\nMummy Spider does not follow typical criminal behavioral patterns. In particular, Mummy\nSpider usually conducts attacks for a few months before ceasing operations for a period of\nbetween three and 12 months, before returning with a new variant or version.\nAfter a 10 month hiatus, Mummy Spider returned Emotet to operation in December 2016 but\nthe latest variant is not deploying a banking Trojan module with web injects, it is currently\nacting as a ‘loader’ delivering other malware packages. The primary modules perform\nreconnaissance on victim machines, drop freeware tools for credential collection from web\nbrowsers and mail clients and a spam plugin for self-propagation. The malware is also issuing\ncommands to download and execute other malware families such as the banking Trojans Dridex\nand Qakbot.\nMummy Spider advertised Emotet on underground forums until 2015, at which time it became\nprivate. Therefore, it is highly likely that Emotet is operated solely for use by Mummy Spider or\nwith a small trusted group of customers.\nEmotet has been observed to distribute BokBot (Lunar Spider), Dridex (Indrik Spider),\nDoppelPaymer (Doppel Spider), Zeus Panda (Bamboo Spider, TA544) and Trickbot (Wizard\nSpider, Gold Blackburn), as well as QakBot (Mallard Spider).\nObserved\nSectors: Defense, Energy, Financial, Government, Healthcare, Manufacturing, Retail, Shipping\nand Logistics, Utilities, Technology.\nCountries: Worldwide.\nTools used Emotet.\nOperations performed\nAug 2017\nWhile the earlier variants of EMOTET primarily targeted the banking sector, our\nSmart Protection Network (SPN) data reveals that this time, the malware isn’t\nbeing picky about the industries it chooses to attack. The affected companies come\nfrom different industries, including manufacturing, food and beverage, and\nhealthcare. Again, it is possible that due to the nature of its distribution, EMOTET\nnow has a wider scope.\nOct 2018\nEmotet Awakens With New Campaign of Mass Email Exfiltration\nNov 2018 According to our telemetry, the latest Emotet activity was launched on November\n5, 2018, following a period of low activity. Figure 1 shows a spike in the Emotet\ndetection rate in the beginning of November 2018, as seen in our telemetry data.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=64df4c69-c290-4579-b9de-ca5bdb786ec4\nPage 2 of 7\n\nNov 2018\nSecret Service Investigates Breach at U.S. Govt IT Contractor\nJan 2019\nBetween January 1, 2019, to May 1, 2019, threat actors conducted thousands of\nmalicious email campaigns, hundreds of which were sent to Canadian\norganizations. While discussions of threats in this region often focus on “North\nAmerica” generally or just the United States, nearly 100 campaigns during this\nperiod were either specifically targeted at Canadian organizations or were\ncustomized for Canadian audiences.\nApr 2019\nBeginning the morning of April 9th, the Emotet gang began utilizing what appears\nto be the stolen emails of their victims. It was noted back in October of 2018 that a\nnew module was added that could steal the email content on a victim’s machine.\nSep 2019\nEmotet is back after a summer break\nDec 2019\nThe city of Frankfurt, Germany, became the latest victim of Emotet after an\ninfection forced it to close its IT network. But the financial center wasn’t the only\narea that was targeted by Emotet, as there were also incidents that occurred in\nGießen and Bad Homburg, a town and a city north of Frankfurt, respectively, as\nwell as in Freiburg, a city in southwest Germany.\nJan 2020\nThreat actor group TA542, the group that’s behind Emotet, is back from their\nChristmas holiday. Based on past activity and what we’re seeing in just three days,\none of the world’s most disruptive threats is back to work and everyone around the\nworld should take note and implement steps to protect themselves.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=64df4c69-c290-4579-b9de-ca5bdb786ec4\nPage 3 of 7\n\nJan 2020\nPretending to be the Permanent Mission of Norway, the Emotet operators\nperformed a targeted phishing attack against email addresses associated with users\nat the United Nations.\nJan 2020\nEMOTET Uses Corona Virus Outbreak in New Spam Campaign\nFeb 2020\nEmotet Evolves With new Wi-Fi Spreader\nFeb 2020\nEmotet SMiShing Uses Fake Bank Domains in Targeted Attacks, Payloads Hint at\nTrickBot Connection\nMar 2020\nEmotet Wi-Fi Spreader Upgraded\nJun 2020\nEmotet malware now steals your email attachments to attack contacts\nJul 2020\nIt was never a question of “if” but “when”. After five months of absence, the\ndreaded Emotet has returned. Following several false alarms over the last few\nweeks, a spam campaign was first spotted on July 13 showing signs of a likely\ncomeback.\nJul 2020\nResearchers tracking Emotet botnet noticed that the malware started to push\nQakBot banking trojan at an unusually high rate, replacing the longtime TrickBot\npayload.\nAug 2020\nEmotet malware strikes U.S. businesses with COVID-19 spam\nAug 2020\nEmotet strikes Quebec’s Department of Justice\nAug 2020\nSince August, CISA and MS-ISAC have seen a significant increase in malicious\ncyber actors targeting state and local governments with Emotet phishing emails.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=64df4c69-c290-4579-b9de-ca5bdb786ec4\nPage 4 of 7\n\nOct 2020\nOn October 1, 2020, we observed thousands of Emotet email messages with the\nsubject “Team Blue Take Action” sent to hundreds of organizations in the US. The\nmessage body is taken directly from a page on the Democratic National\nCommittee's website, with the addition of a line requesting that the recipient open\nthe attached document.\nOct 2020\nNew Emotet attacks use fake Windows Update lures\nDec 2020\nEmotet malware hits Lithuania's National Public Health Center\nNov 2021\nEmotet malware is back and rebuilding its botnet via TrickBot\nDec 2021\nEmotet now drops Cobalt Strike, fast forwards ransomware attacks\nJan 2022\nEmotet Spam Abuses Unconventional IP Address Formats to Spread Malware\nFeb 2022\nNew Emotet Infection Method\nMar 2022\nEmotet Targeting Japanese Organizations\nMar 2022\nEmotet Spoofs IRS in Tax Season-Themed Phishing Email Campaign\nApr 2022\nEmotet modules and recent attacks\nApr 2022\nEmotet botnet switches to 64-bit modules, increases activity\nApr 2022\nEmotet malware infects users again after fixing broken installer\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=64df4c69-c290-4579-b9de-ca5bdb786ec4\nPage 5 of 7\n\nApr 2022\nEmotet Tests New Delivery Techniques\nApr 2022\nEmotet malware now installs via PowerShell in Windows shortcut files\nJun 2022\nEmotet malware now steals credit cards from Google Chrome users\nJun 2022\nBack From the Dead, Emotet Returns in 2022\nNov 2022\nEmotet botnet starts blasting malware again after 4 month break\nCounter operations\nJul 2020\nA vigilante is sabotaging the Emotet botnet by replacing malware payloads with\nGIFs\nJan 2021\nWorld’s most dangerous malware EMOTET disrupted through global action\nJun 2024\nAuthorities Ramp Up Efforts to Capture the Mastermind Behind Emotet\nInformation\nLast change to this card: 19 June 2024\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=64df4c69-c290-4579-b9de-ca5bdb786ec4\nPage 6 of 7\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=64df4c69-c290-4579-b9de-ca5bdb786ec4\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=64df4c69-c290-4579-b9de-ca5bdb786ec4\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=64df4c69-c290-4579-b9de-ca5bdb786ec4" ], "report_names": [ "showcard.cgi?u=64df4c69-c290-4579-b9de-ca5bdb786ec4" ], "threat_actors": [ { "id": "aa5b200f-a6c6-4d17-bc65-911d9a7bf4ef", "created_at": "2022-10-25T16:07:23.866039Z", "updated_at": "2026-04-10T02:00:04.765416Z", "deleted_at": null, "main_name": "Mallard Spider", "aliases": [ "Gold Lagoon" ], "source_name": "ETDA:Mallard Spider", "tools": [ "Egregor", "Mimikatz", "Oakboat", "PinkSlip", "Pinkslipbot", "ProLock", "PwndLocker", "QakBot", "Qbot", "QuackBot", "QuakBot" ], "source_id": "ETDA", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5cb8d20-b5b9-4ec6-9660-3dded9bd3c89", "created_at": "2023-01-06T13:46:39.204681Z", "updated_at": "2026-04-10T02:00:03.245695Z", "deleted_at": null, "main_name": "MALLARD SPIDER", "aliases": [ "GOLD LAGOON" ], "source_name": "MISPGALAXY:MALLARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "03a8107a-f669-41af-ba79-41b1cbdc4654", "created_at": "2023-01-06T13:46:39.228649Z", "updated_at": "2026-04-10T02:00:03.25247Z", "deleted_at": null, "main_name": "BAMBOO SPIDER", "aliases": [], "source_name": "MISPGALAXY:BAMBOO SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ccd0f6b5-6d20-4d28-9796-88ab6deb4087", "created_at": "2024-06-19T02:03:08.067518Z", "updated_at": "2026-04-10T02:00:03.671628Z", "deleted_at": null, "main_name": "GOLD HERON", "aliases": [ "Doppel Spider " ], "source_name": "Secureworks:GOLD HERON", "tools": [ "Cobalt Strike", "DoppelPaymer", "Dridex", "Grief", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a0d0e1ef-3562-40a8-a021-321db92644d9", "created_at": "2023-01-06T13:46:39.104046Z", "updated_at": "2026-04-10T02:00:03.2146Z", "deleted_at": null, "main_name": "DOPPEL SPIDER", "aliases": [ "GOLD HERON" ], "source_name": "MISPGALAXY:DOPPEL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d555c5da-abe4-42aa-a8cf-77b68905891a", "created_at": "2022-10-25T16:07:23.548385Z", "updated_at": "2026-04-10T02:00:04.65211Z", "deleted_at": null, "main_name": "Doppel Spider", "aliases": [ "Gold Heron", "Grief Group" ], "source_name": "ETDA:Doppel Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DoppelPaymer", "Pay OR Grief", "Pay or Grief", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434030, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0e6d2551bc259d15d8d2f35a918536cc8b729b20.pdf", "text": "https://archive.orkl.eu/0e6d2551bc259d15d8d2f35a918536cc8b729b20.txt", "img": "https://archive.orkl.eu/0e6d2551bc259d15d8d2f35a918536cc8b729b20.jpg" } }