{
	"id": "456c9eb1-78e9-446b-a1ec-05f897306979",
	"created_at": "2026-04-06T00:09:05.241908Z",
	"updated_at": "2026-04-10T03:34:16.720797Z",
	"deleted_at": null,
	"sha1_hash": "464ccafb7bb1747426fb8500d521494b86a4e5d8",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47184,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:26:06 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Grief\n Tool: Grief\nNames\nGrief\nPay or Grief\nCategory Malware\nType Ransomware, Big Game Hunting\nDescription\n(Zscaler) An early Grief ransomware (aka Pay or Grief) sample was compiled on May 17,\n2021. This sample is particularly interesting because it contains the Grief ransomware code\nand ransom note, but the link in the ransom note points to the DoppelPaymer ransom portal.\nThis suggests that the malware author may have still been in the process of developing the\nGrief ransom portal. Ransomware threat groups often rebrand the name of the malware as a\ndiversion.\nInformation\nLast change to this tool card: 26 December 2021\nDownload this tool card in JSON format\nAll groups using tool Grief\nChanged Name Country Observed\nAPT groups\n Doppel Spider 2019-May 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aa2dfc3d-ed20-4970-9624-ea19b096a395\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aa2dfc3d-ed20-4970-9624-ea19b096a395\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aa2dfc3d-ed20-4970-9624-ea19b096a395\r\nPage 2 of 2\n\nAPT groups Doppel Spider 2019-May 2025 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aa2dfc3d-ed20-4970-9624-ea19b096a395"
	],
	"report_names": [
		"listgroups.cgi?u=aa2dfc3d-ed20-4970-9624-ea19b096a395"
	],
	"threat_actors": [
		{
			"id": "ccd0f6b5-6d20-4d28-9796-88ab6deb4087",
			"created_at": "2024-06-19T02:03:08.067518Z",
			"updated_at": "2026-04-10T02:00:03.671628Z",
			"deleted_at": null,
			"main_name": "GOLD HERON",
			"aliases": [
				"Doppel Spider "
			],
			"source_name": "Secureworks:GOLD HERON",
			"tools": [
				"Cobalt Strike",
				"DoppelPaymer",
				"Dridex",
				"Grief",
				"PowerShell Empire"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a0d0e1ef-3562-40a8-a021-321db92644d9",
			"created_at": "2023-01-06T13:46:39.104046Z",
			"updated_at": "2026-04-10T02:00:03.2146Z",
			"deleted_at": null,
			"main_name": "DOPPEL SPIDER",
			"aliases": [
				"GOLD HERON"
			],
			"source_name": "MISPGALAXY:DOPPEL SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d555c5da-abe4-42aa-a8cf-77b68905891a",
			"created_at": "2022-10-25T16:07:23.548385Z",
			"updated_at": "2026-04-10T02:00:04.65211Z",
			"deleted_at": null,
			"main_name": "Doppel Spider",
			"aliases": [
				"Gold Heron",
				"Grief Group"
			],
			"source_name": "ETDA:Doppel Spider",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DoppelPaymer",
				"Pay OR Grief",
				"Pay or Grief",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434145,
	"ts_updated_at": 1775792056,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/464ccafb7bb1747426fb8500d521494b86a4e5d8.pdf",
		"text": "https://archive.orkl.eu/464ccafb7bb1747426fb8500d521494b86a4e5d8.txt",
		"img": "https://archive.orkl.eu/464ccafb7bb1747426fb8500d521494b86a4e5d8.jpg"
	}
}