{
	"id": "b1a398e2-219c-4893-9c5e-3ea1b84897f6",
	"created_at": "2026-04-06T00:11:28.916958Z",
	"updated_at": "2026-04-10T03:34:01.01673Z",
	"deleted_at": null,
	"sha1_hash": "586cde2983651ff04f57657bbc0eac5f995e6d03",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55102,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:01:01 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool AZORult\n Tool: AZORult\nNames\nAZORult\nPuffStealer\nRultazo\nCategory Malware\nType Info stealer, Credential stealer, Downloader\nDescription\n(Kaspersky) The AZORult Trojan is one of the most commonly bought and sold stealers\nin Russian forums. Despite the relatively high price tag ($100), buyers like AZORult for\nits broad functionality (for example, the use of .bit domains as C\u0026C servers to ensure\nowner anonymity and to make it difficult to block the C\u0026C server), as well as its high\nperformance. Many comment leavers recommend it.\nAZORult is a Trojan stealer that collects various data on infected computers and sends it\nto the C\u0026C server, including browser history, login credentials, cookies, files from\nfolders as specified by the C\u0026C server (for example, all TXT files from the Desktop\nfolder), cryptowallet files, etc.; the malware can also be used as a loader to download\nother malware. Kaspersky Lab products detect the stealer as Trojan-PSW.Win32.Azorult. Our statistics show that since the start of 2019, users in Russia and\nIndia are the most targeted.\nInformation\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ce88f834-afbf-4d8b-8ca6-43b7fde7bdf2\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 22 April 2024\nDownload this tool card in JSON format\nAll groups using tool AZORult\nChanged Name Country Observed\nAPT groups\n FIN11 [Unknown] 2016-Mar 2025\n Operation Epic Manchego [Unknown] 2020\n TA558 [Unknown] 2018-Jun 2023\nOther groups\n TA516 [Unknown] 2016-Feb 2020\n4 groups listed (3 APT, 1 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ce88f834-afbf-4d8b-8ca6-43b7fde7bdf2\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ce88f834-afbf-4d8b-8ca6-43b7fde7bdf2\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ce88f834-afbf-4d8b-8ca6-43b7fde7bdf2"
	],
	"report_names": [
		"listgroups.cgi?u=ce88f834-afbf-4d8b-8ca6-43b7fde7bdf2"
	],
	"threat_actors": [
		{
			"id": "6728f306-6259-4e7d-a4ea-59586d90a47d",
			"created_at": "2023-01-06T13:46:39.175292Z",
			"updated_at": "2026-04-10T02:00:03.236282Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"TEMP.Warlock",
				"UNC902"
			],
			"source_name": "MISPGALAXY:FIN11",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "316b23b5-e097-4dc6-8b1c-d096860c6c16",
			"created_at": "2022-10-25T16:07:24.290801Z",
			"updated_at": "2026-04-10T02:00:04.924688Z",
			"deleted_at": null,
			"main_name": "TA558",
			"aliases": [],
			"source_name": "ETDA:TA558",
			"tools": [
				"AZORult",
				"AsyncRAT",
				"Bladabindi",
				"ExtRat",
				"Jorik",
				"Loda",
				"Loda RAT",
				"LodaRAT",
				"Nymeria",
				"PuffStealer",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"Rultazo",
				"Socmer",
				"Vengeance Justice Worm",
				"Vjw0rm",
				"Xtreme RAT",
				"XtremeRAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9b34a837-9f3f-4451-b8bf-adf424655df5",
			"created_at": "2023-01-06T13:46:39.310096Z",
			"updated_at": "2026-04-10T02:00:03.283332Z",
			"deleted_at": null,
			"main_name": "TA516",
			"aliases": [],
			"source_name": "MISPGALAXY:TA516",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f1c14cad-15c0-4ae3-be08-4226044aa8cb",
			"created_at": "2022-10-25T16:07:23.954439Z",
			"updated_at": "2026-04-10T02:00:04.806247Z",
			"deleted_at": null,
			"main_name": "Operation Epic Manchego",
			"aliases": [],
			"source_name": "ETDA:Operation Epic Manchego",
			"tools": [
				"AZORult",
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Bladabindi",
				"Formbook",
				"Jorik",
				"Matiex",
				"Negasteal",
				"Origin Logger",
				"PuffStealer",
				"Rultazo",
				"ZPAQ",
				"njRAT",
				"win.xloader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aeda543e-ce27-41a9-9719-d6e2941b7dbf",
			"created_at": "2022-10-25T16:07:24.57632Z",
			"updated_at": "2026-04-10T02:00:05.038892Z",
			"deleted_at": null,
			"main_name": "TA516",
			"aliases": [
				"SmokingDro"
			],
			"source_name": "ETDA:TA516",
			"tools": [
				"AZORult",
				"AndroKINS",
				"Chthonic",
				"Dofoil",
				"PandaBanker",
				"PuffStealer",
				"Rultazo",
				"Sharik",
				"Smoke Loader",
				"SmokeLoader",
				"Zeus Panda",
				"ZeusPanda"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1db21349-11d6-4e57-805c-fb1e23a8acab",
			"created_at": "2022-10-25T16:07:23.630365Z",
			"updated_at": "2026-04-10T02:00:04.694622Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"Chubby Scorpius",
				"DEV-0950",
				"Lace Tempest",
				"Operation Cyclone"
			],
			"source_name": "ETDA:FIN11",
			"tools": [
				"AZORult",
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"BLUESTEAL",
				"Cl0p",
				"EMASTEAL",
				"FLOWERPIPE",
				"FORKBEARD",
				"FRIENDSPEAK",
				"FlawedAmmyy",
				"GazGolder",
				"Get2",
				"GetandGo",
				"JESTBOT",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MINEDOOR",
				"MIXLABEL",
				"Meterpreter",
				"NAILGUN",
				"POPFLASH",
				"PuffStealer",
				"Rultazo",
				"SALTLICK",
				"SCRAPMINT",
				"SHORTBENCH",
				"SLOWROLL",
				"SPOONBEARD",
				"TiniMet",
				"TinyMet",
				"VIDAR",
				"Vidar Stealer"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cf91b389-9602-45c0-8d6b-c61d14800f54",
			"created_at": "2023-01-06T13:46:39.448277Z",
			"updated_at": "2026-04-10T02:00:03.332604Z",
			"deleted_at": null,
			"main_name": "TA558",
			"aliases": [],
			"source_name": "MISPGALAXY:TA558",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434288,
	"ts_updated_at": 1775792041,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/586cde2983651ff04f57657bbc0eac5f995e6d03.pdf",
		"text": "https://archive.orkl.eu/586cde2983651ff04f57657bbc0eac5f995e6d03.txt",
		"img": "https://archive.orkl.eu/586cde2983651ff04f57657bbc0eac5f995e6d03.jpg"
	}
}