{ "id": "43c3d515-6ca2-4279-984d-3246c84ea698", "created_at": "2026-04-06T01:29:15.420841Z", "updated_at": "2026-04-10T13:11:57.921172Z", "deleted_at": null, "sha1_hash": "19cec8293ecd336d3a7b15c1da1cc32ea1ed68b0", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48937, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:58:31 UTC\r\n Other threat group: Boson Spider\r\nNames Boson Spider (CrowdStrike)\r\nCountry [Unknown]\r\nMotivation Financial crime\r\nFirst seen 2015\r\nDescription\r\n(IBM) When it comes to discovering new malware, it is much more common for\r\nresearchers to run across information stealers, ransomware and remote-access tools\r\n(RATs) than it is to encounter brand new complex codes like banking Trojans or\r\ntargeted attack tools such as Duqu.\r\nNonetheless, it is the lesser breeds, like information stealers and RATs, that are a lot\r\nmore prolific in the wild. And while banking Trojans or targeted attacks are quite\r\nspecific in what they do, information stealers are by far less discriminatory and thus\r\nend up affecting a greater number of people and organizations.\r\nThat brings us to CoreBot, a new information stealer discovered and analyzed by\r\nIBM Security X-Force researchers, who indicate this is one malware piece to watch\r\nout for. CoreBot appears to be quite modular, which means that its structure and\r\ninternal makeup were programmed in a way that allows for the easy adding of new\r\ndata theft and endpoint control mechanisms.\r\nCoreBot was discovered while the researchers were studying the activity of malware\r\non Trusteer-protected enterprise endpoints. The malware’s compiled file was named\r\n“core” by its developer. Antivirus engines do not specify this malware’s name yet\r\nand detect it under generic names such as Dynamer!ac or Eldorado. But while\r\nCoreBot may appear artless at first glance, without real-time theft capabilities, it is\r\nmore interesting on the inside.\r\nCoreBot has been observed to be distributed by DinaBot (operated by Scully Spider,\r\nTA547).\r\nObserved\r\nSectors: Financial.\r\nCountries: Australia, Canada, Japan, UK, USA and Europe.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=165f23ac-4e69-433d-bc3a-5e8acd384c16\r\nPage 1 of 2\n\nTools used CoreBot.\nOperations performed Nov 2017\nSpotted by researchers at Deep Instinct, a new version of CoreBot is\nbeing distributed in spam email campaigns with the intention of\nstealing information from customers of Canadian banking websites.\nCustomers of TD, Des-Jardins, RBC, Scotia Bank, Banque National\nare all targeted by those behind the campaign, with successful\nexecution of the malware allowing the attackers to steal the\ncredentials of infected users as they login into these sites.\nInformation\nLast change to this card: 15 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=165f23ac-4e69-433d-bc3a-5e8acd384c16\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=165f23ac-4e69-433d-bc3a-5e8acd384c16\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=165f23ac-4e69-433d-bc3a-5e8acd384c16" ], "report_names": [ "showcard.cgi?u=165f23ac-4e69-433d-bc3a-5e8acd384c16" ], "threat_actors": [ { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "ab35254c-b3f8-4b45-9413-01591ba7b5f4", "created_at": "2023-01-06T13:46:39.231425Z", "updated_at": "2026-04-10T02:00:03.253352Z", "deleted_at": null, "main_name": "BOSON SPIDER", "aliases": [], "source_name": "MISPGALAXY:BOSON SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a95ead6e-d506-4929-a0dd-1a7afb19b84e", "created_at": "2022-10-25T16:07:24.461901Z", "updated_at": "2026-04-10T02:00:04.999569Z", "deleted_at": null, "main_name": "Boson Spider", "aliases": [], "source_name": "ETDA:Boson Spider", "tools": [ "CoreBot" ], "source_id": "ETDA", "reports": null }, { "id": "b3070c7b-c1e8-462c-94f1-62a0d2bdbc67", "created_at": "2023-01-06T13:46:39.116254Z", "updated_at": "2026-04-10T02:00:03.218594Z", "deleted_at": null, "main_name": "SCULLY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SCULLY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775438955, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/19cec8293ecd336d3a7b15c1da1cc32ea1ed68b0.pdf", "text": "https://archive.orkl.eu/19cec8293ecd336d3a7b15c1da1cc32ea1ed68b0.txt", "img": "https://archive.orkl.eu/19cec8293ecd336d3a7b15c1da1cc32ea1ed68b0.jpg" } }