{
	"id": "0f7907c6-4b75-403f-aeac-91964ea51385",
	"created_at": "2026-04-06T00:18:28.61916Z",
	"updated_at": "2026-04-10T13:11:56.220199Z",
	"deleted_at": null,
	"sha1_hash": "5a31b8af4401fa728ab851b920f88e8cbd286897",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 30508,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:34:17 UTC\r\nDescription(The Hacker News) Group-IB first learned of the Cron malware gang in March 2015, when the\r\ncriminal gang was distributing the Cron Bot malware disguised as Viber and Google Play apps.\r\nThe Cron malware gang abused the popularity of SMS-banking services and distributed the malware onto victims'\r\nAndroid devices by setting up apps designed to mimic banks' official apps.\r\nThe gang even inserted the malware into fake mobile apps for popular pornography websites, such as PornHub.\r\nAfter targeting customers of the Bank in Russia, where they were living in, the Cron gang planned to expand its\r\noperation by targeting customers of banks in various countries, including the US, the UK, Germany, France,\r\nTurkey, Singapore, and Australia.\r\nIn June 2016, the gang rented a piece of malware called 'Tiny.z' for $2,000 per month, designed to attack\r\ncustomers of Russian banks as well as international banks in Britain, Germany, France, the United States and\r\nTurkey, among other countries.\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f7dde02d-7652-4c04-8782-cf56b07b667a\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f7dde02d-7652-4c04-8782-cf56b07b667a\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f7dde02d-7652-4c04-8782-cf56b07b667a"
	],
	"report_names": [
		"showcard.cgi?u=f7dde02d-7652-4c04-8782-cf56b07b667a"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434708,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a31b8af4401fa728ab851b920f88e8cbd286897.pdf",
		"text": "https://archive.orkl.eu/5a31b8af4401fa728ab851b920f88e8cbd286897.txt",
		"img": "https://archive.orkl.eu/5a31b8af4401fa728ab851b920f88e8cbd286897.jpg"
	}
}