{ "id": "926f4dd6-575f-49e2-a0e3-694eaa3efff1", "created_at": "2026-04-06T00:10:36.989598Z", "updated_at": "2026-04-10T13:12:06.982452Z", "deleted_at": null, "sha1_hash": "44e966449a3a4217374d0d0e02c6066da7ba30b2", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56059, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:58:33 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DanaBot\n Tool: DanaBot\nNames DanaBot\nCategory Malware\nType Banking trojan, Keylogger, Credential stealer, Info stealer\nDescription\n(Fortinet) It is a modular banking Trojan that has been historically linked to combining\noperations with other malware operators, such as those behind Gootkit. Other modules\nassociated with DanaBot include remote desktop through VNC, information stealing, and\nkeylogging. While it appears that this recent attack may be looking to establish a foothold\nin the network, the reasons behind this are currently unknown.\nInformation\nMalpedia https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1e2a3277-3948-4f60-8a32-e9b9757f9330\nPage 1 of 2\n\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\u003e\r\nLast change to this tool card: 28 June 2025\r\nDownload this tool card in JSON format\r\nAll groups using tool DanaBot\r\nChanged Name Country Observed\r\nOther groups\r\n  Scully Spider, TA547 [Unknown] 2017-Mar 2024  \r\n1 group listed (0 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1e2a3277-3948-4f60-8a32-e9b9757f9330\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1e2a3277-3948-4f60-8a32-e9b9757f9330\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1e2a3277-3948-4f60-8a32-e9b9757f9330" ], "report_names": [ "listgroups.cgi?u=1e2a3277-3948-4f60-8a32-e9b9757f9330" ], "threat_actors": [ { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "b3070c7b-c1e8-462c-94f1-62a0d2bdbc67", "created_at": "2023-01-06T13:46:39.116254Z", "updated_at": "2026-04-10T02:00:03.218594Z", "deleted_at": null, "main_name": "SCULLY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SCULLY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434236, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44e966449a3a4217374d0d0e02c6066da7ba30b2.pdf", "text": "https://archive.orkl.eu/44e966449a3a4217374d0d0e02c6066da7ba30b2.txt", "img": "https://archive.orkl.eu/44e966449a3a4217374d0d0e02c6066da7ba30b2.jpg" } }