{
	"id": "6c0dba49-a2ca-425d-bc11-0a244bf55b9f",
	"created_at": "2026-04-06T00:07:03.727716Z",
	"updated_at": "2026-04-10T03:35:16.911904Z",
	"deleted_at": null,
	"sha1_hash": "60eed369eaa1ceca4816ece3d3e97fcfb9066e8a",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47703,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:13:35 UTC\n APT group: GCMAN\nNames\nGCMAN (Kaspersky)\nG0036 (MITRE)\nCountry Russia\nMotivation Financial crime\nFirst seen 2016\nDescription\n(Kaspersky) A second group, which we call GCMAN because the malware is based on\ncode compiled on the GCC compiler, emerged recently using similar techniques to the\nCorkow, Metel Group to infect banking institutions and attempt to transfer money to e-currency services.\nThe initial infection mechanism is handled by spear-phishing financial institution targets\nwith e-mails carrying a malicious RAR archive to. Upon opening the RAR archive, an\nexecutable is started instead of a Microsoft Word document, resulting in infection.\nOnce inside the network, the GCMAN group uses legitimate and penetration testing\ntools such as Putty, VNC, and Meterpreter for lateral movement. Our investigation\nrevealed an attack where the group then planted a cron script into bank’s server, sending\nfinancial transactions at the rate of $200 per minute. A time-based scheduler was\ninvoking the script every minute to post new transactions directly to upstream payment\nprocessing system. This allowed the group to transfer money to multiple e-currency\nservices without these transactions being reported to any system inside the bank.\nObserved\nSectors: Financial.\nCountries: Russia.\nTools used GCMAN, Meterpreter, PuTTY, VNC and malicious RAR archives.\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6eeb30a-a941-46f9-8340-20958f1d6cb0\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6eeb30a-a941-46f9-8340-20958f1d6cb0\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6eeb30a-a941-46f9-8340-20958f1d6cb0\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6eeb30a-a941-46f9-8340-20958f1d6cb0"
	],
	"report_names": [
		"showcard.cgi?u=e6eeb30a-a941-46f9-8340-20958f1d6cb0"
	],
	"threat_actors": [
		{
			"id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa",
			"created_at": "2022-10-25T16:07:23.494355Z",
			"updated_at": "2026-04-10T02:00:04.629595Z",
			"deleted_at": null,
			"main_name": "Corkow",
			"aliases": [
				"Corkow",
				"Metel"
			],
			"source_name": "ETDA:Corkow",
			"tools": [
				"Corkow",
				"Metel"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3b185161-668f-4cac-b930-9482f9706848",
			"created_at": "2022-10-25T16:07:23.670892Z",
			"updated_at": "2026-04-10T02:00:04.706866Z",
			"deleted_at": null,
			"main_name": "GCMAN",
			"aliases": [
				"G0036"
			],
			"source_name": "ETDA:GCMAN",
			"tools": [
				"GCMAN",
				"Meterpreter",
				"VNC",
				"Virtual Network Computing"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1e408839-27ce-4f52-b7c6-d0a700e54027",
			"created_at": "2023-01-06T13:46:38.479274Z",
			"updated_at": "2026-04-10T02:00:02.991414Z",
			"deleted_at": null,
			"main_name": "GCMAN",
			"aliases": [
				"G0036"
			],
			"source_name": "MISPGALAXY:GCMAN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "fc11deee-6db4-46a9-a3d5-c02bb960cc51",
			"created_at": "2022-10-25T15:50:23.277991Z",
			"updated_at": "2026-04-10T02:00:05.400194Z",
			"deleted_at": null,
			"main_name": "GCMAN",
			"aliases": [
				"GCMAN"
			],
			"source_name": "MITRE:GCMAN",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434023,
	"ts_updated_at": 1775792116,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/60eed369eaa1ceca4816ece3d3e97fcfb9066e8a.pdf",
		"text": "https://archive.orkl.eu/60eed369eaa1ceca4816ece3d3e97fcfb9066e8a.txt",
		"img": "https://archive.orkl.eu/60eed369eaa1ceca4816ece3d3e97fcfb9066e8a.jpg"
	}
}