{ "id": "fc95c9de-8255-4549-a9ff-4706bc7dfd7b", "created_at": "2026-04-06T00:13:06.342673Z", "updated_at": "2026-04-10T13:12:03.799319Z", "deleted_at": null, "sha1_hash": "595957ea2a28a0c5253e3c62beef7c1593f7efda", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 32082, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:04:06 UTC\r\nDescription(Group-IB) In mid-September 2023, during routine monitoring of adversary infrastructure, Group-IB’s\r\nThreat Intelligence unit identified a command and control (C\u0026C) server that was hosting several tools. Notably,\r\nnone were custom-made. The entire toolset was based on publicly available open-source instruments used for\r\npentesting purposes. After examining the toolset in more detail, it became clear that the tools were most likely\r\nassociated with a threat actor executing one of the oldest attack methods: SQL injections.\r\nWhile delving deeper into the malicious infrastructure, Group-IB researchers identified the threat actor’s first\r\ntargets, predominantly linked to the gambling industry. This prompted the Threat Intelligence unit to name the\r\nthreat actor GambleForce (tracked under the name EagleStrike GambleForce in Group-IB’s Threat Intelligence\r\nPlatform). Since it appeared in September 2023, GambleForce has targeted more than 20 websites (government,\r\ngambling, retail, and travel) in Australia, China, Indonesia, the Philippines, India, South Korea, Thailand, and\r\nBrazil.\r\nDespite using very basic attack methods, the threat actor has managed to successfully attack six companies in\r\nAustralia (travel), Indonesia (travel, retail), the Philippines (government), and South Korea (gambling), which\r\nshows just how vulnerable many organizations are against rudimentary but clearly dangerous SQL injection\r\nattacks.\r\nIn some instances, the attackers stopped after performing reconnaissance. In other cases, they successfully\r\nextracted user databases containing logins and hashed passwords, along with lists of tables from accessible\r\ndatabases. Rather than looking for specific data, the threat actor attempts to exfiltrate any available piece of\r\ninformation within targeted databases, such as hashed and plain text user credentials. What the group does with\r\nthe stolen data remains unknown so far.\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4442e431-c4f1-4528-9b28-46ea479be9cc\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4442e431-c4f1-4528-9b28-46ea479be9cc\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4442e431-c4f1-4528-9b28-46ea479be9cc" ], "report_names": [ "showcard.cgi?u=4442e431-c4f1-4528-9b28-46ea479be9cc" ], "threat_actors": [ { "id": "8d1c3575-c954-4e39-8717-8d15ccd4020e", "created_at": "2024-01-18T02:02:34.725883Z", "updated_at": "2026-04-10T02:00:05.007755Z", "deleted_at": null, "main_name": "GambleForce", "aliases": [], "source_name": "ETDA:GambleForce", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Dirsearch", "Tinyproxy", "cobeacon", "redis-rogue-getshell", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "e55fb744-4fb6-4b73-a326-d4d014d6a3d7", "created_at": "2023-12-21T02:00:06.102133Z", "updated_at": "2026-04-10T02:00:03.503718Z", "deleted_at": null, "main_name": "GambleForce", "aliases": [], "source_name": "MISPGALAXY:GambleForce", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434386, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/595957ea2a28a0c5253e3c62beef7c1593f7efda.pdf", "text": "https://archive.orkl.eu/595957ea2a28a0c5253e3c62beef7c1593f7efda.txt", "img": "https://archive.orkl.eu/595957ea2a28a0c5253e3c62beef7c1593f7efda.jpg" } }