{
	"id": "5f100208-cd70-4456-9e10-d35f362153c6",
	"created_at": "2026-04-06T00:07:22.831125Z",
	"updated_at": "2026-04-10T03:30:10.297565Z",
	"deleted_at": null,
	"sha1_hash": "38e374b4ab64463e7266fd10e24f63aa49c6c04b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45985,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 00:02:50 UTC\n APT group: OldGremlin\nNames OldGremlin (Group-IB)\nCountry Russia\nMotivation Financial crime, Financial gain\nFirst seen 2020\nDescription\n(Group-IB) Group-IB Threat Intelligence team recently tracked a successful attack\nconducted on a Russian medical company by OldGremlin, a new criminal group.\nThe threat actor encrypted the company's entire corporate network and demanded a\n$50,000 ransom. It is common knowledge that Russian hackers have an unspoken\nrule about not working within Russia and post-Soviet countries. Yet OldGremlin,\nmade up of Russian speakers, is actively attacking Russian companies: banks,\nindustrial enterprises, medical organizations, software developers… According to\nGroup-IB expert estimations, since the spring OldGremlin has conducted at least\nseven phishing campaigns. The hackers have impersonated the self-regulatory\norganization Mikrofinansirovaniye i Razvitiye (SRO MiR); a Russian metallurgical\nholding company; the Belarusian plant Minsk Tractor Works; a dental clinic; and the\nmedia holding company RBC.\nObserved\nSectors: Financial, Healthcare, Media.\nCountries: Russia.\nTools used Cobalt Strike, TinyCryptor, TinyNode, TinyPosh.\nOperations performed Feb 2021\nOld Gremlins, new methods\nInformation\nLast change to this card: 18 November 2022\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a44f6f3b-1fa2-41e1-8c75-71de568db6e4\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a44f6f3b-1fa2-41e1-8c75-71de568db6e4\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a44f6f3b-1fa2-41e1-8c75-71de568db6e4"
	],
	"report_names": [
		"showcard.cgi?u=a44f6f3b-1fa2-41e1-8c75-71de568db6e4"
	],
	"threat_actors": [
		{
			"id": "a060d952-fc4b-44df-bd0e-ee3606e79f83",
			"created_at": "2022-10-25T16:07:23.920646Z",
			"updated_at": "2026-04-10T02:00:04.790469Z",
			"deleted_at": null,
			"main_name": "OldGremlin",
			"aliases": [],
			"source_name": "ETDA:OldGremlin",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"TinyCryptor",
				"TinyNode",
				"TinyPosh",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e35c1877-f6a5-4e47-8464-ddc943e3b320",
			"created_at": "2023-11-21T02:00:07.390198Z",
			"updated_at": "2026-04-10T02:00:03.476348Z",
			"deleted_at": null,
			"main_name": "OldGremlin",
			"aliases": [],
			"source_name": "MISPGALAXY:OldGremlin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434042,
	"ts_updated_at": 1775791810,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38e374b4ab64463e7266fd10e24f63aa49c6c04b.pdf",
		"text": "https://archive.orkl.eu/38e374b4ab64463e7266fd10e24f63aa49c6c04b.txt",
		"img": "https://archive.orkl.eu/38e374b4ab64463e7266fd10e24f63aa49c6c04b.jpg"
	}
}