{ "id": "aae3d461-0a95-40ae-bb6c-d6e4a22744e8", "created_at": "2026-04-06T01:29:15.838802Z", "updated_at": "2026-04-10T03:25:02.791194Z", "deleted_at": null, "sha1_hash": "5deab9e1d7c1656917b2919d82f12665a0c3d30e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46081, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:43:01 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool AdvisorsBot\r\n Tool: AdvisorsBot\r\nNames AdvisorsBot\r\nCategory Malware\r\nType Downloader\r\nDescription\r\n(Proofpoint) Beginning in May 2018, Proofpoint researchers observed a previously\r\nundocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns.\r\nThe campaigns appear to primarily target hotels, restaurants, and telecommunications, and\r\nare distributed by an actor we track as TA555. To date, we have observed AdvisorsBot\r\nused as a first-stage payload, loading a fingerprinting module that, as with Marap, is\r\npresumably used to identify targets of interest to further infect with additional modules or\r\npayloads. AdvisorsBot is under active development and we have also observed another\r\nversion of the malware completely rewritten in PowerShell and .NET.\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:AdvisorsBot\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool AdvisorsBot\r\nChanged Name Country Observed\r\nAPT groups\r\n  TA555 [Unknown] 2018  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a97e6425-d811-4beb-89ed-c26ce7550d69\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a97e6425-d811-4beb-89ed-c26ce7550d69\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a97e6425-d811-4beb-89ed-c26ce7550d69\r\nPage 2 of 2\n\nAPT groups TA555 [Unknown] 2018\n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a97e6425-d811-4beb-89ed-c26ce7550d69" ], "report_names": [ "listgroups.cgi?u=a97e6425-d811-4beb-89ed-c26ce7550d69" ], "threat_actors": [ { "id": "e9fcfe14-b91b-4f1d-a6f6-2de8a6dbca17", "created_at": "2022-10-25T16:07:24.287989Z", "updated_at": "2026-04-10T02:00:04.923791Z", "deleted_at": null, "main_name": "TA555", "aliases": [], "source_name": "ETDA:TA555", "tools": [ "AdvisorsBot", "PoshAdvisor" ], "source_id": "ETDA", "reports": null }, { "id": "47524f3c-731b-4af2-a9df-67c96c734392", "created_at": "2023-01-06T13:46:39.319424Z", "updated_at": "2026-04-10T02:00:03.286323Z", "deleted_at": null, "main_name": "TA555", "aliases": [], "source_name": "MISPGALAXY:TA555", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775438955, "ts_updated_at": 1775791502, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5deab9e1d7c1656917b2919d82f12665a0c3d30e.pdf", "text": "https://archive.orkl.eu/5deab9e1d7c1656917b2919d82f12665a0c3d30e.txt", "img": "https://archive.orkl.eu/5deab9e1d7c1656917b2919d82f12665a0c3d30e.jpg" } }