{ "id": "e8b27a6c-7cc0-4956-9675-52cc8a58aeba", "created_at": "2026-04-06T00:12:36.264047Z", "updated_at": "2026-04-10T03:37:09.271112Z", "deleted_at": null, "sha1_hash": "606514dfc3a56ed76ddef032fb535ed82f46ba5d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52990, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:05:36 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BadRabbit\n Tool: BadRabbit\nNames BadRabbit\nCategory Malware\nType Ransomware\nDescription\n(Talos) There have been several large scale ransomware campaigns over the last several months.\nThis appears to have some similarities to NotPetya in that it is also based on Petya ransomware.\nMajor portions of the code appear to have been rewritten. The distribution does not appear to have\nthe sophistication of the supply chain attacks we have seen recently.\nDespite initial reports, we currently have no evidence that the EternalBlue exploit is being\nleveraged. However, we identified the usage of the EternalRomance exploit to propagate in the\nnetwork. This exploit takes advantage of a vulnerability described in the Microsoft MS17-010\nsecurity bulletin. The vulnerability was also exploited during the Nyetya campaign.\nInformation\nAlienVault OTX Last change to this tool card: 21 May 2020\nDownload this tool card in JSON format\nAll groups using tool BadRabbit\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d8583406-a007-40a0-97a4-217300e1529f\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  TeleBots 2015-Oct 2020\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d8583406-a007-40a0-97a4-217300e1529f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d8583406-a007-40a0-97a4-217300e1529f\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d8583406-a007-40a0-97a4-217300e1529f" ], "report_names": [ "listgroups.cgi?u=d8583406-a007-40a0-97a4-217300e1529f" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434356, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/606514dfc3a56ed76ddef032fb535ed82f46ba5d.pdf", "text": "https://archive.orkl.eu/606514dfc3a56ed76ddef032fb535ed82f46ba5d.txt", "img": "https://archive.orkl.eu/606514dfc3a56ed76ddef032fb535ed82f46ba5d.jpg" } }