{
	"id": "56e485da-dc4f-4b0d-988c-d4e3ec759fed",
	"created_at": "2026-04-06T00:06:26.676276Z",
	"updated_at": "2026-04-10T03:33:16.677368Z",
	"deleted_at": null,
	"sha1_hash": "4fcf0361d3d6da73d74c44dd7a770af28446366a",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 29916,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:42:48 UTC\r\nDescriptionThis family describes the (initially small) loader, which downloads Zeus OpenSSL.\r\nIn June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9\r\n(e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-\u003e\r\nZeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.\r\nThe initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added,\r\ne.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added,\r\nwhich blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may\r\nbe related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fb0df443-6978-48d9-ab3e-4f3f88aa3b92\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fb0df443-6978-48d9-ab3e-4f3f88aa3b92\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fb0df443-6978-48d9-ab3e-4f3f88aa3b92"
	],
	"report_names": [
		"listgroups.cgi?u=fb0df443-6978-48d9-ab3e-4f3f88aa3b92"
	],
	"threat_actors": [
		{
			"id": "1f6ae238-765f-4495-9d54-6a7883d7a319",
			"created_at": "2022-10-25T16:07:24.573456Z",
			"updated_at": "2026-04-10T02:00:05.037738Z",
			"deleted_at": null,
			"main_name": "TA511",
			"aliases": [
				"MAN1",
				"Moskalvzapoe"
			],
			"source_name": "ETDA:TA511",
			"tools": [
				"Agentemis",
				"Chanitor",
				"Cobalt Strike",
				"CobaltStrike",
				"Ficker Stealer",
				"Hancitor",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "542cf9d0-9c68-428c-aff8-81b6f59dc985",
			"created_at": "2023-02-15T02:01:49.554105Z",
			"updated_at": "2026-04-10T02:00:03.347115Z",
			"deleted_at": null,
			"main_name": "Moskalvzapoe",
			"aliases": [
				"MAN1",
				"TA511"
			],
			"source_name": "MISPGALAXY:Moskalvzapoe",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433986,
	"ts_updated_at": 1775791996,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4fcf0361d3d6da73d74c44dd7a770af28446366a.pdf",
		"text": "https://archive.orkl.eu/4fcf0361d3d6da73d74c44dd7a770af28446366a.txt",
		"img": "https://archive.orkl.eu/4fcf0361d3d6da73d74c44dd7a770af28446366a.jpg"
	}
}