{
	"id": "52878cca-2249-4784-b6b0-5b7aea01da9a",
	"created_at": "2026-04-06T03:37:32.297066Z",
	"updated_at": "2026-04-10T03:36:11.15135Z",
	"deleted_at": null,
	"sha1_hash": "3c1756425f361cbe0c0910fb8b7c21f9ba5dfcd6",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52446,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 02:58:23 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool TrickMo\n Tool: TrickMo\nNames TrickMo\nCategory Malware\nType Banking trojan, Loader\nDescription\n(IBM) IBM X-Force researchers analyzed an Android malware app that’s likely being\npushed to infected users by the TrickBot Trojan. This app, dubbed “TrickMo” by our\nteam, is designed to bypass second factor and strong authentication pushed to bank\ncustomers when they need to authorize a transaction.\nWhile it’s not the first of its kind, this Android malware app is more sophisticated than\nsimilar apps and possesses interesting features that enable its operators to steal\ntransaction authorization codes from victims who download the app.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool TrickMo\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6bedcca0-561d-48a0-942f-bf68911e53d8\nPage 1 of 2\n\nAPT groups\r\n  Wizard Spider, Gold Blackburn 2014-May 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6bedcca0-561d-48a0-942f-bf68911e53d8\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6bedcca0-561d-48a0-942f-bf68911e53d8\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6bedcca0-561d-48a0-942f-bf68911e53d8"
	],
	"report_names": [
		"listgroups.cgi?u=6bedcca0-561d-48a0-942f-bf68911e53d8"
	],
	"threat_actors": [
		{
			"id": "f6f91e1c-9202-4497-bf22-9cd5ef477600",
			"created_at": "2023-01-06T13:46:38.86765Z",
			"updated_at": "2026-04-10T02:00:03.12735Z",
			"deleted_at": null,
			"main_name": "WIZARD SPIDER",
			"aliases": [
				"TEMP.MixMaster",
				"GOLD BLACKBURN",
				"DEV-0193",
				"UNC2053",
				"Pistachio Tempest",
				"DEV-0237",
				"Storm-0230",
				"FIN12",
				"Periwinkle Tempest",
				"Storm-0193",
				"Trickbot LLC"
			],
			"source_name": "MISPGALAXY:WIZARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e",
			"created_at": "2024-06-04T02:03:07.799286Z",
			"updated_at": "2026-04-10T02:00:03.606456Z",
			"deleted_at": null,
			"main_name": "GOLD BLACKBURN",
			"aliases": [
				"ITG23 ",
				"Periwinkle Tempest ",
				"Wizard Spider "
			],
			"source_name": "Secureworks:GOLD BLACKBURN",
			"tools": [
				"BazarLoader",
				"Buer Loader",
				"Bumblebee",
				"Dyre",
				"Team9",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3",
			"created_at": "2022-10-25T16:07:24.422115Z",
			"updated_at": "2026-04-10T02:00:04.983298Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"DEV-0193",
				"G0102",
				"Gold Blackburn",
				"Gold Ulrick",
				"Grim Spider",
				"ITG23",
				"Operation BazaFlix",
				"Periwinkle Tempest",
				"Storm-0230",
				"TEMP.MixMaster",
				"Wizard Spider"
			],
			"source_name": "ETDA:Wizard Spider",
			"tools": [
				"AdFind",
				"Agentemis",
				"Anchor_DNS",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"Conti",
				"Diavol",
				"Dyranges",
				"Dyre",
				"Dyreza",
				"Dyzap",
				"Gophe",
				"Invoke-SMBAutoBrute",
				"KEGTAP",
				"LaZagne",
				"LightBot",
				"PowerSploit",
				"PowerTrick",
				"PsExec",
				"Ryuk",
				"SessionGopher",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"TrickMo",
				"Upatre",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446652,
	"ts_updated_at": 1775792171,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c1756425f361cbe0c0910fb8b7c21f9ba5dfcd6.pdf",
		"text": "https://archive.orkl.eu/3c1756425f361cbe0c0910fb8b7c21f9ba5dfcd6.txt",
		"img": "https://archive.orkl.eu/3c1756425f361cbe0c0910fb8b7c21f9ba5dfcd6.jpg"
	}
}