{ "id": "b4d78b0e-91ac-437d-a015-57945cbf313a", "created_at": "2026-04-06T00:07:40.10074Z", "updated_at": "2026-04-10T13:11:20.98409Z", "deleted_at": null, "sha1_hash": "4094527097cd34d106df828da665e7095337c6a4", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54630, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:49:34 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Gozi\n Tool: Gozi\nNames\nGozi\nCRM\nGozi CRM\nPapras\nUrsnif\nSnifula\nCategory Malware\nType Banking trojan, Credential stealer\nDescription\n(SecureWorks) A single attack by a single variant compromises more than 5200 hosts and\n10,000 user accounts on hundreds of sites.\n• Steals SSL data using advanced Winsock2 functionality\n• State-of-the-art, modularized trojan code\n• Spread through IE browser exploits\n• Undetected for weeks, months by many AV vendors\n• Customized server/database code to collect sensitive data\n• Customer interface for on-line purchases of stolen data\n• Accounts compromised by stealing data primarily from infected home PCs\n• Accounts at top financial, retail, health care, and government services affected\n• Data's black market value at least $2 million\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f8740da3-1d35-498a-a026-74ce0c034f6d\nPage 1 of 2\n\nMalpedia AlienVault OTX Last change to this tool card: 06 September 2023\nDownload this tool card in JSON format\nAll groups using tool Gozi\nChanged Name Country Observed\nOther groups\n TA551, Shathak 2016-Jan 2021\nUnknown groups\n _[ Interesting malware not linked to an actor yet ]_\n2 groups listed (0 APT, 1 other, 1 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f8740da3-1d35-498a-a026-74ce0c034f6d\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f8740da3-1d35-498a-a026-74ce0c034f6d\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f8740da3-1d35-498a-a026-74ce0c034f6d" ], "report_names": [ "listgroups.cgi?u=f8740da3-1d35-498a-a026-74ce0c034f6d" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434060, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4094527097cd34d106df828da665e7095337c6a4.pdf", "text": "https://archive.orkl.eu/4094527097cd34d106df828da665e7095337c6a4.txt", "img": "https://archive.orkl.eu/4094527097cd34d106df828da665e7095337c6a4.jpg" } }