{
	"id": "bd2cd95d-0036-4140-a730-0f2f36e47a37",
	"created_at": "2026-04-06T00:19:12.735214Z",
	"updated_at": "2026-04-10T03:33:27.541416Z",
	"deleted_at": null,
	"sha1_hash": "63ce319d9a75a3d61f6a6112f6fecacae39185b2",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43938,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:38:41 UTC\n Other threat group: UNC1878\nNames UNC1878 (FireEye)\nCountry [Unknown]\nMotivation Financial gain\nFirst seen 2020\nDescription\n(BleepingComputer) Wyckoff Heights Medical Center in Brooklyn and the University of\nVermont Health Network are the latest victims of the Ryuk ransomware attack spree covering\nthe healthcare industry across the U.S.\nYesterday, the U.S. government hosted an emergency call with stakeholders in the healthcare\nindustry to alert them to an 'increased and imminent cybercrime threat to U.S. hospitals and\nhealthcare providers.'\nLater in the day, CISA issued a joint advisory publicly warning that U.S. hospitals and\nhealthcare providers are actively targeted in cyberattacks deploying the Ryuk ransomware.\nCharles Carmakal, senior vice president and CTO of Mandiant, told BleepingComputer that an\nEastern European hacking group known as UNC1878 is responsible for these attacks and that\nthey intend to attack hundreds of hospitals.\nObserved\nSectors: Healthcare.\nCountries: USA.\nTools used BazarBackdoor, Cobalt Strike, Ryuk.\nInformation\nLast change to this card: 05 January 2021\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9c20d87e-bc52-4f83-99ab-b85ef1aa789f\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9c20d87e-bc52-4f83-99ab-b85ef1aa789f\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9c20d87e-bc52-4f83-99ab-b85ef1aa789f"
	],
	"report_names": [
		"showcard.cgi?u=9c20d87e-bc52-4f83-99ab-b85ef1aa789f"
	],
	"threat_actors": [
		{
			"id": "12211366-1f14-4eed-9d91-46b6a2ede618",
			"created_at": "2025-08-07T02:03:25.014713Z",
			"updated_at": "2026-04-10T02:00:03.624097Z",
			"deleted_at": null,
			"main_name": "GOLD ULRICK",
			"aliases": [
				"Grim Spider ",
				"UNC1878 "
			],
			"source_name": "Secureworks:GOLD ULRICK",
			"tools": [
				"Bloodhound",
				"Buer Loader",
				"Cobalt Strike",
				"Conti",
				"Diavol",
				"PowerShell Empire",
				"Ryuk",
				"SystemBC",
				"Team9 (aka BazarLoader)",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508",
			"created_at": "2022-10-25T16:07:24.584775Z",
			"updated_at": "2026-04-10T02:00:05.042135Z",
			"deleted_at": null,
			"main_name": "UNC1878",
			"aliases": [],
			"source_name": "ETDA:UNC1878",
			"tools": [
				"Agentemis",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"KEGTAP",
				"Ryuk",
				"Team9Backdoor",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01",
			"created_at": "2023-01-06T13:46:39.178183Z",
			"updated_at": "2026-04-10T02:00:03.23716Z",
			"deleted_at": null,
			"main_name": "UNC1878",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC1878",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434752,
	"ts_updated_at": 1775792007,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63ce319d9a75a3d61f6a6112f6fecacae39185b2.pdf",
		"text": "https://archive.orkl.eu/63ce319d9a75a3d61f6a6112f6fecacae39185b2.txt",
		"img": "https://archive.orkl.eu/63ce319d9a75a3d61f6a6112f6fecacae39185b2.jpg"
	}
}