{
	"id": "4d28a335-e4e7-488f-8253-9f112d9adf13",
	"created_at": "2026-04-06T00:11:30.19812Z",
	"updated_at": "2026-04-10T03:33:52.187266Z",
	"deleted_at": null,
	"sha1_hash": "5ac6094aca6f51e1465c095d6e8b02e0ee94f8e4",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53542,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:45:40 UTC\r\n APT group: TA530\r\nNames TA530 (Proofpoint)\r\nCountry [Unknown]\r\nMotivation Financial crime\r\nFirst seen 2016\r\nDescription\r\n(Proofpoint) Since January 2016, a financially motivated threat actor whom\r\nProofpoint has been tracking as TA530 has been targeting executives and other high-level employees, often through campaigns focused exclusively on a particular\r\nvertical. For example, intended victims frequently have titles of Chief Financial\r\nOfficer, Head of Finance, Senior Vice President, Director and other high level roles.\r\nAdditionally, TA530 customizes the email to each target by specifying the target’s\r\nname, job title, phone number, and company name in the email body, subject, and\r\nattachment names. On several occasions, we verified that these details are correct for\r\nthe intended victim. While we do not know for sure the source of these details, they\r\nfrequently appear on public websites, such as LinkedIn or the company’s own\r\nwebsite. The customization doesn't end with the lure; the malware used in the\r\ncampaigns is also targeted by region and vertical.\r\nObserved\r\nSectors: Automotive, Construction, Education, Energy, Engineering, Financial, Food\r\nand Agriculture, Healthcare, Hospitality, Manufacturing, Media, Pharmaceutical,\r\nRetail, Technology, Telecommunications, Transportation, Utilities.\r\nCountries: Australia, UK, USA.\r\nTools used\r\nAbaddonPOS, August Stealer, CryptoWall, Dridex, Gozi ISFB, H1N1 Loader,\r\nNymaim, Smoke Loader, TeamSpy, TinyLoader.\r\nOperations performed Nov 2016\r\nAugust in November: New Information Stealer Hits the Scene\r\n\u003chttps://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\u003e\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\u003e\r\nLast change to this card: 14 April 2020\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=dc4db7a7-996d-4e90-8468-4ab4393b490d\r\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=dc4db7a7-996d-4e90-8468-4ab4393b490d\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=dc4db7a7-996d-4e90-8468-4ab4393b490d\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=dc4db7a7-996d-4e90-8468-4ab4393b490d"
	],
	"report_names": [
		"showcard.cgi?u=dc4db7a7-996d-4e90-8468-4ab4393b490d"
	],
	"threat_actors": [
		{
			"id": "f8fd6c94-f1bf-43b8-8613-edc46ca097ee",
			"created_at": "2022-10-25T16:07:24.285532Z",
			"updated_at": "2026-04-10T02:00:04.922819Z",
			"deleted_at": null,
			"main_name": "TA530",
			"aliases": [],
			"source_name": "ETDA:TA530",
			"tools": [
				"AbaddonPOS",
				"August Stealer",
				"Bugat v5",
				"CryptoWall",
				"Dofoil",
				"Dridex",
				"Gozi ISFB",
				"H1N1",
				"H1N1 Loader",
				"ISFB",
				"Nymaim",
				"Pandemyia",
				"Sharik",
				"Smoke Loader",
				"SmokeLoader",
				"SpY-Agent",
				"TVRAT",
				"TVSpy",
				"TeamSpy",
				"TeamViewerENT",
				"TinyLoader",
				"nymain"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1d8dd2ca-5592-482e-b89d-6a7e1a49f4f6",
			"created_at": "2023-01-06T13:46:38.408359Z",
			"updated_at": "2026-04-10T02:00:02.962242Z",
			"deleted_at": null,
			"main_name": "TeamSpy Crew",
			"aliases": [
				"TeamSpy",
				"Team Bear",
				"Anger Bear",
				"IRON LYRIC"
			],
			"source_name": "MISPGALAXY:TeamSpy Crew",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "af77521e-c35f-4030-a95d-bcd1eaeeaac1",
			"created_at": "2023-01-06T13:46:38.476089Z",
			"updated_at": "2026-04-10T02:00:02.990237Z",
			"deleted_at": null,
			"main_name": "TA530",
			"aliases": [],
			"source_name": "MISPGALAXY:TA530",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434290,
	"ts_updated_at": 1775792032,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5ac6094aca6f51e1465c095d6e8b02e0ee94f8e4.pdf",
		"text": "https://archive.orkl.eu/5ac6094aca6f51e1465c095d6e8b02e0ee94f8e4.txt",
		"img": "https://archive.orkl.eu/5ac6094aca6f51e1465c095d6e8b02e0ee94f8e4.jpg"
	}
}