{
	"id": "14030867-641d-4a3f-aa26-fa59548f0aad",
	"created_at": "2026-04-06T00:11:12.033941Z",
	"updated_at": "2026-04-10T03:31:09.57895Z",
	"deleted_at": null,
	"sha1_hash": "58cb30a672f0dc656fed64c0c22b1827ca86111c",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57120,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:39:02 UTC\n Tool: BitPaymer\nNames\nBitPaymer\nFriedEx\nIEncrypt\nwp_encrypt\nCategory Malware\nType Ransomware, Credential stealer, Big Game Hunting\nDescription\n(IBM) The submitted file is a custom packed BitPaymer ransomware loader that is\ndesigned to run on Windows 7 or above or any version of Windows server. The loader\nuses Alternate Data Streams to hide its tracks and service hijacking to maintain\npersistence. The loader uses RC4 to decrypt its configuration data.\nThe BitPaymer ransomware is used to encrypt files based on the settings from the\nconfiguration data. It has the ability to encrypt local and remote disks and can whitelist\nvarious file types that are not to be encrypted. The ransom note follows the same general\noutline as that of other ransomware families; however, BitPaymer is customized to the\ncompany or victim being attacked and contains their names in the configuration data\nitself.\nInformation\n\ndridex-authors/\u003e\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool BitPaymer\nChanged Name Country Observed\nAPT groups\n Indrik Spider 2007-Oct 2024\n1 group listed (1 APT, 0 other, 0 unknown)\n↑\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1d7f3d66-005d-426f-925e-a31a2a49cb46\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1d7f3d66-005d-426f-925e-a31a2a49cb46\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1d7f3d66-005d-426f-925e-a31a2a49cb46"
	],
	"report_names": [
		"listgroups.cgi?u=1d7f3d66-005d-426f-925e-a31a2a49cb46"
	],
	"threat_actors": [
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9",
			"created_at": "2023-01-06T13:46:38.839083Z",
			"updated_at": "2026-04-10T02:00:03.117987Z",
			"deleted_at": null,
			"main_name": "INDRIK SPIDER",
			"aliases": [
				"Manatee Tempest"
			],
			"source_name": "MISPGALAXY:INDRIK SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434272,
	"ts_updated_at": 1775791869,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58cb30a672f0dc656fed64c0c22b1827ca86111c.pdf",
		"text": "https://archive.orkl.eu/58cb30a672f0dc656fed64c0c22b1827ca86111c.txt",
		"img": "https://archive.orkl.eu/58cb30a672f0dc656fed64c0c22b1827ca86111c.jpg"
	}
}