{ "id": "282693eb-5725-49fc-9ef8-39f27c5f3719", "created_at": "2026-04-06T00:17:01.736736Z", "updated_at": "2026-04-10T03:20:55.171142Z", "deleted_at": null, "sha1_hash": "1d36056b6123d27b8ff60f7f7c765d3444530780", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51564, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:20:29 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool XPCTRA\r\n Tool: XPCTRA\r\nNames\r\nXPCTRA\r\nExpectra\r\nCategory Malware\r\nType Banking trojan, Backdoor, Info stealer, Credential stealer\r\nDescription\r\n(SANS)\r\n• The infection vector (malspam) links to a supposed PDF invoice, which actually leads the victim to download an\r\nexecutable file (dropper);\r\n• Once executed, the dropper downloads a “.zip” file, unzips and executes the malware payload;\r\n• It then begins a series of actions, including:\r\no Persists itself into the OS, in order to survive system reboot;\r\no Changes Firewall policies to allow the malware to communicate unrestrictedly with the Internet;\r\no Instantiates “Fliddler”, an HTTP Proxy that is used to monitor and intercept user access to the financial institution\r\no Installs the Fiddler root certificate to prevent the user from receiving digital certificate errors;\r\no Points Internet Browsers settings to the local proxy (Fiddler);\r\no Monitors and captures user credentials while accessing the websites of 2 major Brazilian banks and other financia\r\ninstitutions;\r\no Stolen credentials are sent to criminals through an unencrypted C\u0026C channel;\r\no Establishes an encrypted channel to allow the victim’s system to be controlled by the attackers (RAT);\r\no Monitors and captures user credentials while accessing email services like Microsoft Live, Terra, IG and Hotmail\r\nThese accesses are used to spread the malware further;\r\nAfter posting EngineBox malware analysis last month, through community feedback, I came to know that the threa\r\nembedded a framework called QuasarRAT developed in C#. The goal of this framework is to provide a tool for rem\r\naccess and management of Windows computers— hence the name, RAT (Remote Access Tool).\r\nInformation \u003chttps://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/2\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:xpctra\u003e\r\nLast change to this tool card: 24 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool XPCTRA\r\nChanged Name Country Observed\r\nUnknown groups\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3d13907b-bc97-4f76-aa99-7bb35a217159\r\nPage 1 of 2\n\n_[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3d13907b-bc97-4f76-aa99-7bb35a217159\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3d13907b-bc97-4f76-aa99-7bb35a217159\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3d13907b-bc97-4f76-aa99-7bb35a217159" ], "report_names": [ "listgroups.cgi?u=3d13907b-bc97-4f76-aa99-7bb35a217159" ], "threat_actors": [], "ts_created_at": 1775434621, "ts_updated_at": 1775791255, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d36056b6123d27b8ff60f7f7c765d3444530780.pdf", "text": "https://archive.orkl.eu/1d36056b6123d27b8ff60f7f7c765d3444530780.txt", "img": "https://archive.orkl.eu/1d36056b6123d27b8ff60f7f7c765d3444530780.jpg" } }