{ "id": "23d5ef16-6e1d-4e57-9b43-ec9b83ee097f", "created_at": "2026-04-06T00:06:32.078708Z", "updated_at": "2026-04-10T03:34:01.019331Z", "deleted_at": null, "sha1_hash": "50bc3e1c3c8e55ab23777beae0b0c0485321c448", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58024, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:46:57 UTC\n APT group: TA558\nNames TA558 (Proofpoint)\nCountry [Unknown]\nMotivation Financial crime\nFirst seen 2018\nDescription\n(Proofpoint) Since 2018, Proofpoint has tracked a financially-motivated cybercrime\nactor, TA558, targeting hospitality, travel, and related industries located in Latin\nAmerica and sometimes North America, and western Europe. The actor sends\nmalicious emails written in Portuguese, Spanish, and sometimes English. The emails\nuse reservation-themed lures with business-relevant themes such as hotel room\nbookings. The emails may contain malicious attachments or URLs aiming to\ndistribute one of at least 15 different malware payloads, typically remote access\ntrojans (RATs), that can enable reconnaissance, data theft, and distribution of follow-on payloads.\nObserved\nSectors: Construction, Education, Energy, Financial, Government, Hospitality,\nIndustrial, IT, Pharmaceutical, Transportation.\nCountries: Algeria, Argentina, Brazil, Bulgaria, Chile, Colombia, Costa Rica, Czech,\nDominican Republic, Ecuador, Germany, Guatemala, India, Indonesia, Lebanon,\nMacedonia, Mexico, Morocco, Pakistan, Peru, Poland, Romania, Russia, Serbia,\nSlovenia, South Korea, Spain, Thailand, Turkey, Uruguay, USA.\nTools used\nAsyncRAT, AZORult, Loda, njRAT, RemcosRAT, Vjw0rm, RevengeRAT,\nXtremeRAT.\nOperations performed Jun 2023\nSteganoAmor campaign: TA558 mass-attacking companies and\npublic institutions all around the world\nInformation\nLast change to this card: 22 April 2024\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2a612bf1-4cfd-436e-90d5-e104966d1f50\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2a612bf1-4cfd-436e-90d5-e104966d1f50\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2a612bf1-4cfd-436e-90d5-e104966d1f50\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2a612bf1-4cfd-436e-90d5-e104966d1f50" ], "report_names": [ "showcard.cgi?u=2a612bf1-4cfd-436e-90d5-e104966d1f50" ], "threat_actors": [ { "id": "316b23b5-e097-4dc6-8b1c-d096860c6c16", "created_at": "2022-10-25T16:07:24.290801Z", "updated_at": "2026-04-10T02:00:04.924688Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "ETDA:TA558", "tools": [ "AZORult", "AsyncRAT", "Bladabindi", "ExtRat", "Jorik", "Loda", "Loda RAT", "LodaRAT", "Nymeria", "PuffStealer", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Rultazo", "Socmer", "Vengeance Justice Worm", "Vjw0rm", "Xtreme RAT", "XtremeRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "cf91b389-9602-45c0-8d6b-c61d14800f54", "created_at": "2023-01-06T13:46:39.448277Z", "updated_at": "2026-04-10T02:00:03.332604Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "MISPGALAXY:TA558", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433992, "ts_updated_at": 1775792041, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/50bc3e1c3c8e55ab23777beae0b0c0485321c448.pdf", "text": "https://archive.orkl.eu/50bc3e1c3c8e55ab23777beae0b0c0485321c448.txt", "img": "https://archive.orkl.eu/50bc3e1c3c8e55ab23777beae0b0c0485321c448.jpg" } }