{ "id": "a69c27b5-6f28-4abb-8bba-744bd42cb021", "created_at": "2026-04-06T00:21:32.885926Z", "updated_at": "2026-04-10T13:12:17.190589Z", "deleted_at": null, "sha1_hash": "1a5b03aea72f75b22458c4f01d7f931aa8dbf529", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59548, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:13:25 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Dridex\n Tool: Dridex\nNames\nDridex\nBugat v5\nCategory Malware\nType Banking trojan, Credential stealer, Worm\nDescription\nOxCERT blog describes Dridex as 'an evasive, information-stealing malware variant; its goal is to acquire as many\ncredentials as possible and return them via an encrypted tunnel to a Command-and-Control (C\u0026C) server. These C\u0026\nservers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. F\nreason, network-based measures such as blocking the C\u0026C IPs is effective only in the short-term.'\nAccording to MalwareBytes, 'Dridex uses an older tactic of infection by attaching a Word document that utilizes ma\ninstall malware. However, once new versions of Microsoft Office came out and users generally updated, such a thre\nsubsided because it was no longer simple to infect a user with this method.'\nIBM X-Force discovered 'a new version of the Dridex banking Trojan that takes advantage of a code injection techn\ncalled AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tab\nalmost all versions of Windows uses to store certain application data. It is a variation of typical code injection attack\ntake advantage of input validation errors to insert and to execute malicious code in a legitimate process or applicatio\nDridex v4 is the first malware that uses the AtomBombing process to try and infect systems.'\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 15 February 2023\nDownload this tool card in JSON format\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=be7578fe-e99f-4c53-bac4-db27ddbe2d2b\nPage 1 of 2\n\nAll groups using tool Dridex\r\nChanged Name Country Observed\r\nAPT groups\r\n  Indrik Spider 2007-Oct 2024\r\n  TA505, Graceful Spider, Gold Evergreen 2006-Nov 2022\r\n  TA530 [Unknown] 2016-Nov 2016  \r\n3 groups listed (3 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=be7578fe-e99f-4c53-bac4-db27ddbe2d2b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=be7578fe-e99f-4c53-bac4-db27ddbe2d2b\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=be7578fe-e99f-4c53-bac4-db27ddbe2d2b" ], "report_names": [ "listgroups.cgi?u=be7578fe-e99f-4c53-bac4-db27ddbe2d2b" ], "threat_actors": [ { "id": "f8fd6c94-f1bf-43b8-8613-edc46ca097ee", "created_at": "2022-10-25T16:07:24.285532Z", "updated_at": "2026-04-10T02:00:04.922819Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "ETDA:TA530", "tools": [ "AbaddonPOS", "August Stealer", "Bugat v5", "CryptoWall", "Dofoil", "Dridex", "Gozi ISFB", "H1N1", "H1N1 Loader", "ISFB", "Nymaim", "Pandemyia", "Sharik", "Smoke Loader", "SmokeLoader", "SpY-Agent", "TVRAT", "TVSpy", "TeamSpy", "TeamViewerENT", "TinyLoader", "nymain" ], "source_id": "ETDA", "reports": null }, { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "8ada819f-dec0-4de4-97eb-0a8aff899c56", "created_at": "2023-01-06T13:46:39.225531Z", "updated_at": "2026-04-10T02:00:03.251546Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [], "source_name": "MISPGALAXY:GOLD EVERGREEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "af77521e-c35f-4030-a95d-bcd1eaeeaac1", "created_at": "2023-01-06T13:46:38.476089Z", "updated_at": "2026-04-10T02:00:02.990237Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "MISPGALAXY:TA530", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434892, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a5b03aea72f75b22458c4f01d7f931aa8dbf529.pdf", "text": "https://archive.orkl.eu/1a5b03aea72f75b22458c4f01d7f931aa8dbf529.txt", "img": "https://archive.orkl.eu/1a5b03aea72f75b22458c4f01d7f931aa8dbf529.jpg" } }