{
	"id": "b90f0ce7-6fd6-4bef-ac95-d564398a57ea",
	"created_at": "2026-04-06T00:10:19.740784Z",
	"updated_at": "2026-04-10T03:34:25.052622Z",
	"deleted_at": null,
	"sha1_hash": "45d79e5ba4321bffae16d0b34f1fb9be0f56d3e3",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47240,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:23:33 UTC\r\n APT group: FIN12\r\nNames FIN12 (Mandiant)\r\nCountry [Unknown]\r\nMotivation Financial crime, Financial gain\r\nFirst seen 2018\r\nDescription\r\n(Mandiant) Today, Mandiant Intelligence is releasing a comprehensive report detailing FIN12,\r\nan aggressive, financially motivated threat actor behind prolific ransomware attacks since at\r\nleast October 2018. FIN12 is unique among many tracked ransomware-focused actors today\r\nbecause they do not typically engage in multi-faceted extortion and have disproportionately\r\nimpacted the healthcare sector. They are also the first FIN actor that we are promoting who\r\nspecializes in a specific phase of the attack lifecycle—ransomware deployment—while relying\r\non other threat actors for gaining initial access to victims. This specialization reflects the\r\ncurrent ransomware ecosystem, which is comprised of various loosely affiliated actors\r\npartnering together, but not exclusively with one another.\r\nObserved\r\nSectors: Education, Financial, Healthcare, Manufacturing, Technology.\r\nCountries: Australia, Canada, Colombia, France, Indonesia, Ireland, Philippines, South Korea,\r\nSpain, UAE, UK, USA.\r\nTools used BazarBackdoor, Cobalt Strike, TrickBot.\r\nInformation\r\n\u003chttps://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets\u003e\r\n\u003chttps://www.mandiant.com/media/12596/download\u003e\r\nLast change to this card: 02 November 2021\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b43cdd5b-3411-4c5f-9190-e8de49a747e1\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b43cdd5b-3411-4c5f-9190-e8de49a747e1\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b43cdd5b-3411-4c5f-9190-e8de49a747e1"
	],
	"report_names": [
		"showcard.cgi?u=b43cdd5b-3411-4c5f-9190-e8de49a747e1"
	],
	"threat_actors": [
		{
			"id": "f6f91e1c-9202-4497-bf22-9cd5ef477600",
			"created_at": "2023-01-06T13:46:38.86765Z",
			"updated_at": "2026-04-10T02:00:03.12735Z",
			"deleted_at": null,
			"main_name": "WIZARD SPIDER",
			"aliases": [
				"TEMP.MixMaster",
				"GOLD BLACKBURN",
				"DEV-0193",
				"UNC2053",
				"Pistachio Tempest",
				"DEV-0237",
				"Storm-0230",
				"FIN12",
				"Periwinkle Tempest",
				"Storm-0193",
				"Trickbot LLC"
			],
			"source_name": "MISPGALAXY:WIZARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a2d3f35f-3b29-4509-bff5-af2638140d39",
			"created_at": "2022-10-25T16:07:23.633982Z",
			"updated_at": "2026-04-10T02:00:04.695802Z",
			"deleted_at": null,
			"main_name": "FIN12",
			"aliases": [],
			"source_name": "ETDA:FIN12",
			"tools": [
				"Agentemis",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"KEGTAP",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434219,
	"ts_updated_at": 1775792065,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45d79e5ba4321bffae16d0b34f1fb9be0f56d3e3.pdf",
		"text": "https://archive.orkl.eu/45d79e5ba4321bffae16d0b34f1fb9be0f56d3e3.txt",
		"img": "https://archive.orkl.eu/45d79e5ba4321bffae16d0b34f1fb9be0f56d3e3.jpg"
	}
}