{ "id": "90235351-55ae-43a7-9200-06167362c574", "created_at": "2026-04-06T00:13:35.153801Z", "updated_at": "2026-04-10T03:35:42.329797Z", "deleted_at": null, "sha1_hash": "5784e94cbdba5290694ecf8a87323da16140491f", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44990, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:19:27 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Vatet\n Tool: Vatet\nNames Vatet\nCategory Malware\nType Loader\nDescription\n(Palo Alto) Vatet is a custom loader that executes XOR encoded shellcode from the local disk\nor a network share. The loaders are typically open source applications found on GitHub, or\nother repositories, that the actors modify to load their shellcode. In most cases, the payload\nwinds up being Cobalt Strike beacons and/or stagers, but some of the more recent payloads\nhave been an updated version of the PyXie RAT. Vatet is often a precursor to enterprise-wide\nransomware attacks.\nInformation\nLast change to this tool card: 23 April 2021\nDownload this tool card in JSON format\nAll groups using tool Vatet\nChanged Name Country Observed\nAPT groups\n Sprite Spider, Gold Dupont [Unknown] 2015-Nov 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c026fd46-4d84-4351-85e7-5126e85f6d1b\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c026fd46-4d84-4351-85e7-5126e85f6d1b\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c026fd46-4d84-4351-85e7-5126e85f6d1b" ], "report_names": [ "listgroups.cgi?u=c026fd46-4d84-4351-85e7-5126e85f6d1b" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434415, "ts_updated_at": 1775792142, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5784e94cbdba5290694ecf8a87323da16140491f.pdf", "text": "https://archive.orkl.eu/5784e94cbdba5290694ecf8a87323da16140491f.txt", "img": "https://archive.orkl.eu/5784e94cbdba5290694ecf8a87323da16140491f.jpg" } }