{
	"id": "901ac0b4-e699-4866-82d1-89e38cbd967c",
	"created_at": "2026-04-06T00:07:38.454517Z",
	"updated_at": "2026-04-10T03:37:26.697507Z",
	"deleted_at": null,
	"sha1_hash": "3eb68e78992942078a5b2a451bc41cd2291b6a1d",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48986,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:55:43 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool GozNym\n Tool: GozNym\nNames GozNym\nCategory Malware\nType Banking trojan, Info stealer\nDescription\n(IBM) IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and\nGozi ISFB malware. It appears that the operators of Nymaim have recompiled its source\ncode with part of the Gozi ISFB source code, creating a combination that is being actively\nused in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars\nso far. X-Force named this new hybrid GozNym.\nThe new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to\ncreate a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth\nand persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate\nfraud via infected Internet browsers. The end result is a new banking Trojan in the wild.\nInternally, GozNym works like a double-headed beast, where the two codes rely on one\nanother to carry out the malware’s internal operations.\nInformation\nAlienVault OTX Last change to this tool card: 23 May 2020\nDownload this tool card in JSON format\nAll groups using tool GozNym\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b541fb26-a782-4ede-863d-ce712c808411\nPage 1 of 2\n\nOther groups\r\n  Bamboo Spider, TA544 [Unknown] 2016-Apr 2022\r\n1 group listed (0 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b541fb26-a782-4ede-863d-ce712c808411\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b541fb26-a782-4ede-863d-ce712c808411\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b541fb26-a782-4ede-863d-ce712c808411"
	],
	"report_names": [
		"listgroups.cgi?u=b541fb26-a782-4ede-863d-ce712c808411"
	],
	"threat_actors": [
		{
			"id": "b753c6a8-a83d-47bc-829d-45e56136eb7d",
			"created_at": "2023-01-06T13:46:38.97802Z",
			"updated_at": "2026-04-10T02:00:03.169611Z",
			"deleted_at": null,
			"main_name": "GozNym",
			"aliases": [],
			"source_name": "MISPGALAXY:GozNym",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd",
			"created_at": "2023-01-06T13:46:39.110148Z",
			"updated_at": "2026-04-10T02:00:03.216613Z",
			"deleted_at": null,
			"main_name": "NARWHAL SPIDER",
			"aliases": [
				"GOLD ESSEX",
				"TA544",
				"Storm-0302"
			],
			"source_name": "MISPGALAXY:NARWHAL SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "03a8107a-f669-41af-ba79-41b1cbdc4654",
			"created_at": "2023-01-06T13:46:39.228649Z",
			"updated_at": "2026-04-10T02:00:03.25247Z",
			"deleted_at": null,
			"main_name": "BAMBOO SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:BAMBOO SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "956fc691-b6c6-4b09-b69d-8f007c189839",
			"created_at": "2025-08-07T02:03:24.860251Z",
			"updated_at": "2026-04-10T02:00:03.656547Z",
			"deleted_at": null,
			"main_name": "GOLD ESSEX",
			"aliases": [
				"Narwhal Spider ",
				"Storm-0302 ",
				"TA544 "
			],
			"source_name": "Secureworks:GOLD ESSEX",
			"tools": [
				"Cutwail",
				"Pony",
				"Pushdo"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4",
			"created_at": "2022-10-25T16:07:24.453427Z",
			"updated_at": "2026-04-10T02:00:04.997515Z",
			"deleted_at": null,
			"main_name": "Bamboo Spider",
			"aliases": [
				"Bamboo Spider",
				"TA544"
			],
			"source_name": "ETDA:Bamboo Spider",
			"tools": [
				"AndroKINS",
				"Bebloh",
				"Chthonic",
				"DELoader",
				"Dofoil",
				"GozNym",
				"Gozi ISFB",
				"ISFB",
				"Nymaim",
				"PandaBanker",
				"Pandemyia",
				"Sharik",
				"Shiotob",
				"Smoke Loader",
				"SmokeLoader",
				"Terdot",
				"URLZone",
				"XSphinx",
				"ZLoader",
				"Zeus OpenSSL",
				"Zeus Panda",
				"Zeus Sphinx",
				"ZeusPanda",
				"nymain"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434058,
	"ts_updated_at": 1775792246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3eb68e78992942078a5b2a451bc41cd2291b6a1d.pdf",
		"text": "https://archive.orkl.eu/3eb68e78992942078a5b2a451bc41cd2291b6a1d.txt",
		"img": "https://archive.orkl.eu/3eb68e78992942078a5b2a451bc41cd2291b6a1d.jpg"
	}
}