{
	"id": "0b4b070d-cc86-4eb7-abd2-ae3f1faf1a5a",
	"created_at": "2026-04-06T15:53:48.583039Z",
	"updated_at": "2026-04-10T13:12:30.024857Z",
	"deleted_at": null,
	"sha1_hash": "30bcbc17a05774d9394078ebfc21435f7f0aaa0f",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50886,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 15:44:07 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool sLoad\n Tool: sLoad\nNames\nsLoad\nStarsLord\nCategory Malware\nType Reconnaissance, Backdoor, Banking trojan, Info stealer, Downloader\nDescription\n(Proofpoint) sLoad is also written in PowerShell. At the time of this writing, the latest version of\nsLoad was 5.07b, which we will analyze here. It includes noteworthy features such as:\n• Collection of information to report to the C\u0026C server that includes:\no A list of running process\no Presence of .ICA files on the system (likely Citrix-related)\no Whether an Outlook folder is present on the system\no Additional reconnaissance data\n• The ability to take screenshots\n• Checking the DNS cache for specific domains (e.g., targeted banks)\n• Loading external binaries\nInformation\nMalpedia Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool sLoad\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=02ef4587-9f94-4cfd-869a-7bebeb283516\nPage 1 of 2\n\nChanged Name Country Observed\r\nOther groups\r\n  TA554 [Unknown] 2017  \r\n1 group listed (0 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=02ef4587-9f94-4cfd-869a-7bebeb283516\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=02ef4587-9f94-4cfd-869a-7bebeb283516\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=02ef4587-9f94-4cfd-869a-7bebeb283516"
	],
	"report_names": [
		"listgroups.cgi?u=02ef4587-9f94-4cfd-869a-7bebeb283516"
	],
	"threat_actors": [
		{
			"id": "a3808e4f-c7fd-4d25-aa84-aacc27061826",
			"created_at": "2023-01-06T13:46:39.316216Z",
			"updated_at": "2026-04-10T02:00:03.285437Z",
			"deleted_at": null,
			"main_name": "TA554",
			"aliases": [
				"TH-163"
			],
			"source_name": "MISPGALAXY:TA554",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9be98f84-4a93-41c7-90bd-3ea66ba5bfd7",
			"created_at": "2022-10-25T16:07:24.581954Z",
			"updated_at": "2026-04-10T02:00:05.040995Z",
			"deleted_at": null,
			"main_name": "TA554",
			"aliases": [
				"TH-163"
			],
			"source_name": "ETDA:TA554",
			"tools": [
				"DarkVNC",
				"Godzilla",
				"Godzilla Loader",
				"Gootkit",
				"Gootloader",
				"Gozi ISFB",
				"ISFB",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Nimnul",
				"Pandemyia",
				"PsiX",
				"PsiXBot",
				"Ramnit",
				"StarsLord",
				"Waldek",
				"Xswkit",
				"sLoad",
				"talalpek"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775490828,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/30bcbc17a05774d9394078ebfc21435f7f0aaa0f.pdf",
		"text": "https://archive.orkl.eu/30bcbc17a05774d9394078ebfc21435f7f0aaa0f.txt",
		"img": "https://archive.orkl.eu/30bcbc17a05774d9394078ebfc21435f7f0aaa0f.jpg"
	}
}