{
	"id": "f3d1b2ec-edb8-478f-bd66-023d2ba4cb8a",
	"created_at": "2026-04-06T00:06:13.027896Z",
	"updated_at": "2026-04-10T03:23:38.938754Z",
	"deleted_at": null,
	"sha1_hash": "17c13af9c66d263eeff32423609288ce6a63ab6a",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43684,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:38:39 UTC\nHome \u003e List all groups \u003e Operation Spalax\n APT group: Operation Spalax\nNames Operation Spalax (ESET)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2020\nDescription\n(ESET) In 2020 ESET saw several attacks targeting Colombian entities exclusively. These\nattacks are still ongoing at the time of writing and are focused on both government institutions\nand private companies. For the latter, the most targeted sectors are energy and metallurgical.\nThe attackers rely on the use of remote access trojans, most likely to spy on their victims. They\nhave a large network infrastructure for command and control: ESET observed at least 24\ndifferent IP addresses in use in the second half of 2020. These are probably compromised\ndevices that act as proxies for their C\u0026C servers. This, combined with the use of dynamic\nDNS services, means that their infrastructure never stays still. We have seen at least 70 domain\nnames active in this timeframe and they register new ones on a regular basis.\nObserved\nSectors: Energy, Government.\nCountries: Colombia.\nTools used AsyncRAT, njRAT, RemcosRAT.\nInformation\nLast change to this card: 20 January 2021\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c8512d7d-ea72-48c1-b7ed-a25735b9a094\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c8512d7d-ea72-48c1-b7ed-a25735b9a094\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c8512d7d-ea72-48c1-b7ed-a25735b9a094"
	],
	"report_names": [
		"showcard.cgi?u=c8512d7d-ea72-48c1-b7ed-a25735b9a094"
	],
	"threat_actors": [
		{
			"id": "64d750e4-67db-4461-bae2-6e75bfced852",
			"created_at": "2022-10-25T16:07:24.01415Z",
			"updated_at": "2026-04-10T02:00:04.839502Z",
			"deleted_at": null,
			"main_name": "Operation Spalax",
			"aliases": [],
			"source_name": "ETDA:Operation Spalax",
			"tools": [
				"AsyncRAT",
				"Bladabindi",
				"Jorik",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Socmer",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433973,
	"ts_updated_at": 1775791418,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/17c13af9c66d263eeff32423609288ce6a63ab6a.pdf",
		"text": "https://archive.orkl.eu/17c13af9c66d263eeff32423609288ce6a63ab6a.txt",
		"img": "https://archive.orkl.eu/17c13af9c66d263eeff32423609288ce6a63ab6a.jpg"
	}
}