{ "id": "ce51d31c-94b4-4bf9-b0e2-1485cca32a17", "created_at": "2026-04-06T00:21:39.038229Z", "updated_at": "2026-04-10T03:25:24.776776Z", "deleted_at": null, "sha1_hash": "5cbf60e0389cfa6c87cf87081ac1d5eab563505b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48004, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:01:31 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Sality\r\n Tool: Sality\r\nNames\r\nSality\r\nSector\r\nKuku\r\nSalLoad\r\nKookoo\r\nSaliCode\r\nKukacka\r\nCategory Malware\r\nType Botnet, Worm, Downloader, Loader\r\nDescription\r\n(Cylance) The Sality virus infects local executables, removable storage, and remotely\r\nshared drives. It creates a peer-to-peer botnet which facilitates the downloading and\r\nexecution of other malware. Sality can perform malicious code injection and modify its\r\nentry point to force code execution. This malware remains viable by adopting the\r\nsuccessful strategies of other threats, implementing techniques like rootkit/backdoor\r\ncapability, keylogging, and worm-like propagation.\r\nInformation\r\n\u003chttps://threatvector.cylance.com/en_us/home/cylance-vs-sality-malware.html\u003e\r\n\u003chttps://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf\u003e\r\n\u003chttps://en.wikipedia.org/wiki/Sality\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.sality\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:Sality\u003e\r\nLast change to this tool card: 24 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Sality\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ccf23a1f-eec2-465a-89a8-fc38dfbfeea8\r\nPage 1 of 2\n\nOther groups\r\n  Salty Spider 2003-Dec 2018  \r\n1 group listed (0 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ccf23a1f-eec2-465a-89a8-fc38dfbfeea8\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ccf23a1f-eec2-465a-89a8-fc38dfbfeea8\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ccf23a1f-eec2-465a-89a8-fc38dfbfeea8" ], "report_names": [ "listgroups.cgi?u=ccf23a1f-eec2-465a-89a8-fc38dfbfeea8" ], "threat_actors": [ { "id": "6d1762e8-c48c-4fda-b4d1-ecb91179720e", "created_at": "2022-10-25T16:07:24.55351Z", "updated_at": "2026-04-10T02:00:05.031489Z", "deleted_at": null, "main_name": "Salty Spider", "aliases": [], "source_name": "ETDA:Salty Spider", "tools": [ "Kookoo", "Kukacka", "Kuku", "SalLoad", "SaliCode", "Sality" ], "source_id": "ETDA", "reports": null }, { "id": "9fe7fd84-e2b4-4db5-9c90-c4a5791d3f94", "created_at": "2023-01-06T13:46:38.904178Z", "updated_at": "2026-04-10T02:00:03.14055Z", "deleted_at": null, "main_name": "SALTY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SALTY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434899, "ts_updated_at": 1775791524, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5cbf60e0389cfa6c87cf87081ac1d5eab563505b.pdf", "text": "https://archive.orkl.eu/5cbf60e0389cfa6c87cf87081ac1d5eab563505b.txt", "img": "https://archive.orkl.eu/5cbf60e0389cfa6c87cf87081ac1d5eab563505b.jpg" } }