{
	"id": "c5f8901d-3746-4c9d-8816-186dd4aee3d0",
	"created_at": "2026-04-06T00:18:27.241272Z",
	"updated_at": "2026-04-10T13:13:09.171356Z",
	"deleted_at": null,
	"sha1_hash": "186574784e4f3994c5924df96fe68e23dcf4bc54",
	"title": "GameOver Zeus - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56213,
	"plain_text": "GameOver Zeus - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 16:10:34 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool GameOver Zeus\n Tool: GameOver Zeus\nNames\nGameOver Zeus\nPeer-to-Peer Zeus\nP2P Zeus\nGOZ\nCategory Malware\nType Banking trojan, Info stealer, Credential stealer, Downloader, Botnet\nDescription\n(US-CERT) GOZ, which is often propagated through spam and phishing messages, is\nprimarily used by cybercriminals to harvest banking information, such as login\ncredentials, from a victim’s computer. Infected systems can also be used to engage in\nother malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks.\nPrior variants of the Zeus malware utilized a centralized command and control (C2)\nbotnet infrastructure to execute commands. Centralized C2 servers are routinely tracked\nand blocked by the security community. GOZ, however, utilizes a P2P network of\ninfected hosts to communicate and distribute data, and employs encryption to evade\ndetection. These peers act as a massive proxy network that is used to propagate binary\nupdates, distribute configuration files, and to send stolen data. Without a single point of\nfailure, the resiliency of GOZ’s P2P infrastructure makes takedown efforts more\ndifficult.\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f120d94b-15cc-4290-b899-724a4f1c2af4\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool GameOver Zeus\nChanged Name Country Observed\nAPT groups\n TA505, Graceful Spider, Gold Evergreen 2006-Nov 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f120d94b-15cc-4290-b899-724a4f1c2af4\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f120d94b-15cc-4290-b899-724a4f1c2af4\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f120d94b-15cc-4290-b899-724a4f1c2af4"
	],
	"report_names": [
		"listgroups.cgi?u=f120d94b-15cc-4290-b899-724a4f1c2af4"
	],
	"threat_actors": [
		{
			"id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5",
			"created_at": "2022-10-25T16:47:55.740817Z",
			"updated_at": "2026-04-10T02:00:03.678203Z",
			"deleted_at": null,
			"main_name": "GOLD EVERGREEN",
			"aliases": [
				"The Business Club"
			],
			"source_name": "Secureworks:GOLD EVERGREEN",
			"tools": [
				"CryptoLocker",
				"JabberZeus",
				"Pony",
				"Zeus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "8ada819f-dec0-4de4-97eb-0a8aff899c56",
			"created_at": "2023-01-06T13:46:39.225531Z",
			"updated_at": "2026-04-10T02:00:03.251546Z",
			"deleted_at": null,
			"main_name": "GOLD EVERGREEN",
			"aliases": [],
			"source_name": "MISPGALAXY:GOLD EVERGREEN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434707,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/186574784e4f3994c5924df96fe68e23dcf4bc54.pdf",
		"text": "https://archive.orkl.eu/186574784e4f3994c5924df96fe68e23dcf4bc54.txt",
		"img": "https://archive.orkl.eu/186574784e4f3994c5924df96fe68e23dcf4bc54.jpg"
	}
}