{ "id": "5eb1a02f-8821-471e-aaba-5f25fc96274a", "created_at": "2026-04-06T00:07:15.979529Z", "updated_at": "2026-04-10T03:24:29.233048Z", "deleted_at": null, "sha1_hash": "124664e192a3d601b5b807d4080ccebf06d2bf4f", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 31063, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 11:29:14 UTC\r\nDescription(Malwarebytes) Emotet is a Trojan that is primarily spread through spam emails (malspam). The\r\ninfection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails\r\nmay contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click\r\nthe malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming\r\nshipment from well-known parcel companies.\r\nEmotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions\r\nevolved to use macro-enabled documents to retrieve the virus payload from command and control (C\u0026C) servers\r\nrun by the attackers.\r\nEmotet uses a number of tricks to try and prevent detection and analysis. Notably, Emotet knows if it’s running\r\ninside a virtual machine (VM) and will lay dormant if it detects a sandbox environment, which is a tool\r\ncybersecurity researchers use to observe malware within a safe, controlled space.\r\nEmotet also uses C\u0026C servers to receive updates. This works in the same way as the operating system updates on\r\nyour PC and can happen seamlessly and without any outward signs. This allows the attackers to install updated\r\nversions of the software, install additional malware such as other banking Trojans, or to act as a dumping ground\r\nfor stolen information such as financial credentials, usernames and passwords, and email addresses.\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d4a0a8b0-b19e-4558-8292-d39ce17933fa\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d4a0a8b0-b19e-4558-8292-d39ce17933fa\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d4a0a8b0-b19e-4558-8292-d39ce17933fa" ], "report_names": [ "listgroups.cgi?u=d4a0a8b0-b19e-4558-8292-d39ce17933fa" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434035, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/124664e192a3d601b5b807d4080ccebf06d2bf4f.pdf", "text": "https://archive.orkl.eu/124664e192a3d601b5b807d4080ccebf06d2bf4f.txt", "img": "https://archive.orkl.eu/124664e192a3d601b5b807d4080ccebf06d2bf4f.jpg" } }