{ "id": "56d1aa74-e4f4-4e5c-9534-970c5b00396a", "created_at": "2026-04-06T00:22:04.59122Z", "updated_at": "2026-04-10T03:33:22.479013Z", "deleted_at": null, "sha1_hash": "27dfd46ffedbfd623e0632ba3f2bc32132354130", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52132, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:02:25 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Citadel\n Tool: Citadel\nNames Citadel\nCategory Malware\nType Banking trojan, POS malware, Info stealer, Credential stealer\nDescription\n(Malwarebytes) Citadel is an offspring of the (too) popular Zeus crimekit whose main\ngoal is to steal banking credentials by capturing keystrokes and taking screenshots/videos\nof victims’ computers. Citadel came out circa January 2012 in the online forums and\nquickly became a popular choice for criminals. A version of Citadel (1.3.4.5) was leaked\nin late October and although it is not the latest (1.3.5.1), it gives us a good insight into\nwhat tools the bad guys are using to make money.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 25 May 2020\nDownload this tool card in JSON format\nAll groups using tool Citadel\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e9130ea-d66e-4ea8-b950-2a7dae68f51b\nPage 1 of 2\n\nAPT groups\r\n  MoneyTaker 2016  \r\nOther groups\r\n  Retefe Gang, Operation Emmental 2013  \r\n2 groups listed (1 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e9130ea-d66e-4ea8-b950-2a7dae68f51b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e9130ea-d66e-4ea8-b950-2a7dae68f51b\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e9130ea-d66e-4ea8-b950-2a7dae68f51b" ], "report_names": [ "listgroups.cgi?u=7e9130ea-d66e-4ea8-b950-2a7dae68f51b" ], "threat_actors": [ { "id": "746214d4-5d48-4644-b763-8e9a9c549c04", "created_at": "2022-10-25T16:07:23.878029Z", "updated_at": "2026-04-10T02:00:04.769032Z", "deleted_at": null, "main_name": "MoneyTaker", "aliases": [], "source_name": "ETDA:MoneyTaker", "tools": [ "Kronos", "Metasploit", "MoneyTaker", "Screenshotter" ], "source_id": "ETDA", "reports": null }, { "id": "c6722d56-e5e7-4c5c-a5be-b7e01d4281b0", "created_at": "2022-10-25T16:07:24.542981Z", "updated_at": "2026-04-10T02:00:05.028606Z", "deleted_at": null, "main_name": "Retefe Gang", "aliases": [ "Operation Emmental", "Retefe Gang" ], "source_name": "ETDA:Retefe Gang", "tools": [ "Dok", "Illi", "Retefe", "Retefe (Android)", "Tina", "Tinba", "Tiny Banker", "TinyBanker", "Tsukuba", "Werdlod", "Zusy" ], "source_id": "ETDA", "reports": null }, { "id": "e5364c16-eb97-467e-a8c2-a720269498c1", "created_at": "2023-01-06T13:46:38.733469Z", "updated_at": "2026-04-10T02:00:03.082343Z", "deleted_at": null, "main_name": "MoneyTaker", "aliases": [], "source_name": "MISPGALAXY:MoneyTaker", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a8fba3fa-62bf-4fdb-92bb-29aa6375b92d", "created_at": "2024-02-08T02:00:04.329621Z", "updated_at": "2026-04-10T02:00:03.585503Z", "deleted_at": null, "main_name": "Operation Emmental", "aliases": [ "Retefe Gang", "Retefe Group" ], "source_name": "MISPGALAXY:Operation Emmental", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434924, "ts_updated_at": 1775792002, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/27dfd46ffedbfd623e0632ba3f2bc32132354130.pdf", "text": "https://archive.orkl.eu/27dfd46ffedbfd623e0632ba3f2bc32132354130.txt", "img": "https://archive.orkl.eu/27dfd46ffedbfd623e0632ba3f2bc32132354130.jpg" } }