{
	"id": "4841016c-a5be-4c8a-b604-e34ea7628a3c",
	"created_at": "2026-04-06T00:11:24.429097Z",
	"updated_at": "2026-04-10T03:36:00.150786Z",
	"deleted_at": null,
	"sha1_hash": "458fcc9798dc2f6ae556c261b494fd810bd7d322",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62372,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:13:12 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Gootkit\n Tool: Gootkit\nNames\nGootkit\nGootloader\nXswkit\ntalalpek\nWaldek\nCategory Malware\nType Backdoor, Banking trojan, Credential stealer, Info stealer\nDescription\n(Sentinel Labs) The Gootkit Banking Trojan was discovered back in 2014, and utilizes the\nNode.JS library to perform a range of malicious tasks, from website injections and\npassword grabbing, all the way up to video recording and remote VNC capabilities. Since\nits discovery in 2014, the actors behind Gootkit have continued to update the codebase to\nslow down analysis and thwart automated sandboxes. This post will take a look into the\nfirst stage of Gootkit, which contains the unpacking phase and a malicious downloader\nthat sets up the infected system, and its multiple anti-analysis mechanisms.\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3211a3c1-ebff-42f3-9139-87e77b266759\nPage 1 of 2\n\nMalpedia AlienVault OTX Last change to this tool card: 26 August 2024\nDownload this tool card in JSON format\nAll groups using tool Gootkit\nChanged Name Country Observed\nOther groups\n TA554 [Unknown] 2017\n1 group listed (0 APT, 1 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3211a3c1-ebff-42f3-9139-87e77b266759\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3211a3c1-ebff-42f3-9139-87e77b266759\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3211a3c1-ebff-42f3-9139-87e77b266759"
	],
	"report_names": [
		"listgroups.cgi?u=3211a3c1-ebff-42f3-9139-87e77b266759"
	],
	"threat_actors": [
		{
			"id": "a3808e4f-c7fd-4d25-aa84-aacc27061826",
			"created_at": "2023-01-06T13:46:39.316216Z",
			"updated_at": "2026-04-10T02:00:03.285437Z",
			"deleted_at": null,
			"main_name": "TA554",
			"aliases": [
				"TH-163"
			],
			"source_name": "MISPGALAXY:TA554",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9be98f84-4a93-41c7-90bd-3ea66ba5bfd7",
			"created_at": "2022-10-25T16:07:24.581954Z",
			"updated_at": "2026-04-10T02:00:05.040995Z",
			"deleted_at": null,
			"main_name": "TA554",
			"aliases": [
				"TH-163"
			],
			"source_name": "ETDA:TA554",
			"tools": [
				"DarkVNC",
				"Godzilla",
				"Godzilla Loader",
				"Gootkit",
				"Gootloader",
				"Gozi ISFB",
				"ISFB",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Nimnul",
				"Pandemyia",
				"PsiX",
				"PsiXBot",
				"Ramnit",
				"StarsLord",
				"Waldek",
				"Xswkit",
				"sLoad",
				"talalpek"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434284,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/458fcc9798dc2f6ae556c261b494fd810bd7d322.pdf",
		"text": "https://archive.orkl.eu/458fcc9798dc2f6ae556c261b494fd810bd7d322.txt",
		"img": "https://archive.orkl.eu/458fcc9798dc2f6ae556c261b494fd810bd7d322.jpg"
	}
}