{ "id": "10e209b2-92af-4384-acca-abc402badaf7", "created_at": "2026-04-06T00:07:12.26145Z", "updated_at": "2026-04-10T03:36:36.807663Z", "deleted_at": null, "sha1_hash": "5b29cf1293efaed0013b0bdc0fbda28b0e988c64", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 128243, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:00:53 UTC\r\n APT group: FIN11\r\nNames\r\nFIN11 (FireEye)\r\nDEV-0950 (Microsoft)\r\nLace Tempest (Microsoft)\r\nChubby Scorpius (Palo Alto)\r\nCountry [Unknown]\r\nMotivation Financial crime, Financial gain\r\nFirst seen 2016\r\nDescription\r\n(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only\r\nobserved the group successfully monetize access in few instances. This could suggest that the\r\nactors cast a wide net during their phishing operations, then choose which victims to further\r\nexploit based on characteristics such as sector, geolocation or perceived security posture.\r\nRecently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to\r\npressure victims into paying ransom demands. The group’s shifting monetization methods—\r\nfrom point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in\r\n2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.\r\nNotably, FIN11 includes a subset of the activity security researchers call TA505, Graceful\r\nSpider, Gold Evergreen, but we do not attribute TA505’s early operations to FIN11 and caution\r\nagainst using the names interchangeably. Attribution of both historic TA505 activity and more\r\nrecent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most\r\nfinancially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has\r\nused services that provide anonymous domain registration, bulletproof hosting, code signing\r\ncertificates, and private or semi-private malware. Outsourcing work to these criminal service\r\nproviders likely enables FIN11 to increase the scale and sophistication of their operations.\r\nObserved\r\nSectors: Defense, Education, Energy, Financial, Hospitality, Retail, Telecommunications,\r\nTechnology, Transportation.\r\nCountries: Worldwide.\r\nTools used\r\nAmadey, AndroMut, AZORult, BLUESTEAL, Clop, EMASTEAL, FlawedAmmyy,\r\nFLOWERPIPE, FORKBEARD, Get2, JESTBOT, Meterpreter, MINEBRIDGE, MINEDOOR,\r\nMIXLABEL, NAILGUN, POPFLASH, SALTLICK, SCRAPMINT, SHORTBENCH,\r\nSLOWROLL, SPOONBEARD, TinyMet, VIDAR.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d6613f53-5694-4aa4-a5d9-c51c6cd9426e\r\nPage 1 of 7\n\nOperations performed\nDec 2019\nRansomware attack on Maastricht University\nMar 2020\nU.S. pharmaceutical giant ExecuPharm has become the latest victim of data-stealing ransomware.\nExecuPharm said in a letter to the Vermont attorney general’s office that it was\nhit by a ransomware attack on March 13, and warned that Social Security\nnumbers, financial information, driver licenses, passport numbers and other\nsensitive data may have been accessed.\nBut TechCrunch has now learned that the ransomware group behind the attack\nhas published the data stolen from the company’s servers.\nOct 2020\nSoftware AG IT giant hit with $23 million ransom by Clop ransomware\nDec 2020\nGlobal Accellion data breaches linked to Clop ransomware gang\nDec 2020\nSingtel, QIMR Berghofer report Accellion-related data breaches\nDec 2020\nNew Zealand Reserve Bank breached using bug patched on Xmas Eve\nJan 2021\nAustralian securities regulator discloses security breach\nJan 2021\nData breach exposes 1.6 million Washington unemployment claims\nFeb 2021\nHacker Claims to Have Stolen Files Belonging to Prominent Law Firm Jones\nDay\nFeb 2021\nClop ransomware gang leaks online what looks like stolen Bombardier\nblueprints of GlobalEye radar snoop jet\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d6613f53-5694-4aa4-a5d9-c51c6cd9426e\nPage 2 of 7\n\nFeb 2021\nKroger data breach exposes pharmacy and employee data\nMar 2021\nCybersecurity firm Qualys is the latest victim of Accellion hacks\nMar 2021\nRansomware gang leaks data stolen from Colorado, Miami universities\nMar 2021\nEnergy giant Shell discloses data breach after Accellion hack\nMar 2021\nRansomware gang urges victims’ customers to demand a ransom payment\nMar 2021\nRansomware group targets universities in Maryland, California in new data leaks\nMar 2021\nRansomware gang leaks data from Stanford, Maryland universities\nApr 2021\nMore Accellion Health Data Breaches Revealed\nJun 2021\nClop ransomware is back in business after recent arrests\nOct 2021\nClop ransomware gang is leaking confidential data from the UK police\nNov 2021\nMarine services provider Swire Pacific Offshore hit by ransomware\nApr 2022\nClop ransomware gang is back, hits 21 victims in a single month\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d6613f53-5694-4aa4-a5d9-c51c6cd9426e\nPage 3 of 7\n\nAug 2022\nHackers attack UK water supplier but extort wrong company\nSep 2022\nFIN11 is Back : Impersonates Popular Video Conference Application\nDec 2022\nCl0p Ransomware Targets Linux Systems with Flawed Encryption\nFeb 2023\nClop ransomware claims it breached 130 orgs using GoAnywhere zero-day\nMar 2023\nClop ransomware gang begins extorting GoAnywhere zero-day victims\nMar 2023\nClop ransomware claims Saks Fifth Avenue, retailer says mock data stolen\nMar 2023\nCity of Toronto confirms data theft, Clop claims responsibility\nMar 2023\nProcter \u0026 Gamble confirms data theft via GoAnywhere zero-day\nMar 2023\nUK Pension Protection Fund latest victim of GoAnywhere hack\nMar 2023\nCrown Resorts confirms ransom demand after GoAnywhere breach\nMar 2023\nTasmania officials: 16,000 student documents leaked by Clop ransomware group\nApr 2023\nMicrosoft: Clop and LockBit ransomware behind PaperCut server hacks\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d6613f53-5694-4aa4-a5d9-c51c6cd9426e\nPage 4 of 7\n\nMay 2023\nMicrosoft links Clop ransomware gang to MOVEit data-theft attacks\nMay 2023\nMissouri warns that health info was stolen in IBM MOVEit data breach\nMay 2023\nUS govt contractor Serco discloses data breach after MoveIT attacks\nMay 2023\nColorado warns 4 million of data stolen in IBM MOVEit breach\nMay 2023\nRussian cyber thieves linked to personal data breach at North Carolina hospitals\nMay 2023\nSony confirms data breach impacting thousands in the U.S.\nMay 2023\nThird Flagstar Bank data breach since 2021 affects 800,000 customers\nMay 2023\nMaine govt notifies 1.3 million people of MOVEit data breach\nMay 2023\nAmazon confirms employee data breach after vendor hack\nMay 2023\nAuto parts giant AutoZone warns of MOVEit data breach\nJun 2023\nDelta Dental of California data breach exposed info of 7 million people\nJun 2023\nMOVEIt breach impacts GenWorth, CalPERS as data for 3.2 million exposed\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d6613f53-5694-4aa4-a5d9-c51c6cd9426e\nPage 5 of 7\n\nJun 2023\nHackers steal data of 45,000 New York City students in MOVEit breach\nJun 2023\nSiemens Energy confirms data breach after MOVEit data-theft attack\nJul 2023\nShell Becomes Latest Cl0p MOVEit Victim\nJul 2023\nRadisson Hotels, major insurance firms become latest MOVEit victims to\ndisclose breaches\nJul 2023\nShutterfly says Clop ransomware attack did not impact customer data\nJul 2023\nBlackCat, Clop claim ransomware attack on cosmetics maker Estée Lauder\nJul 2023\nClop now leaks data stolen in MOVEit attacks on clearweb sites\nJul 2023\nMedical files of 8M-plus people fall into hands of Clop via MOVEit mega-bug\nJul 2023\nWelltok data breach exposes data of 8.5 million US patients\nAug 2023\nClop ransomware now uses torrents to leak data and evade takedowns\nSep 2023\nJohnson \u0026 Johnson discloses IBM data breach impacting patients\nSep 2023\nCL0P Seeds ^_- Gotta Catch Em All!\nNov 2023\nMicrosoft: SysAid zero-day flaw exploited in Clop ransomware attacks\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d6613f53-5694-4aa4-a5d9-c51c6cd9426e\nPage 6 of 7\n\nFeb 2024\nFrench unemployment agency data breach impacts 43 million people\nDec 2024\nClop ransomware claims responsibility for Cleo data theft attacks\nDec 2024\nClop ransomware is now extorting 66 Cleo data-theft victims\nDec 2024\nFood giant WK Kellogg discloses data breach linked to Clop ransomware\nMar 2025\nRetail giant Sam’s Club investigates Clop ransomware breach claims\nCounter operations\nJun 2021\nOperation “Cyclone”\nUkraine arrests Clop ransomware gang members, seizes servers\nJun 2023\nUS govt offers $10 million bounty for info on Clop ransomware\nInformation\nLast change to this card: 30 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d6613f53-5694-4aa4-a5d9-c51c6cd9426e\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d6613f53-5694-4aa4-a5d9-c51c6cd9426e\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d6613f53-5694-4aa4-a5d9-c51c6cd9426e" ], "report_names": [ "showcard.cgi?u=d6613f53-5694-4aa4-a5d9-c51c6cd9426e" ], "threat_actors": [ { "id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7", "created_at": "2023-11-14T02:00:07.071699Z", "updated_at": "2026-04-10T02:00:03.440831Z", "deleted_at": null, "main_name": "DEV-0950", "aliases": [ "Lace Tempest" ], "source_name": "MISPGALAXY:DEV-0950", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ada819f-dec0-4de4-97eb-0a8aff899c56", "created_at": "2023-01-06T13:46:39.225531Z", "updated_at": "2026-04-10T02:00:03.251546Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [], "source_name": "MISPGALAXY:GOLD EVERGREEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434032, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b29cf1293efaed0013b0bdc0fbda28b0e988c64.pdf", "text": "https://archive.orkl.eu/5b29cf1293efaed0013b0bdc0fbda28b0e988c64.txt", "img": "https://archive.orkl.eu/5b29cf1293efaed0013b0bdc0fbda28b0e988c64.jpg" } }