{
	"id": "2b72c6cf-8f9b-4e2f-98fd-09c28133a730",
	"created_at": "2026-04-06T00:13:12.498188Z",
	"updated_at": "2026-04-10T03:26:17.713624Z",
	"deleted_at": null,
	"sha1_hash": "664528b38d0aeb030317637ed0b388493d254495",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61896,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:08:31 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool GuLoader\n Tool: GuLoader\nNames\nGuLoader\nvbdropper\nCloudEyE\nCategory Malware\nType Loader\nDescription\n(Proofpoint) Proofpoint researchers have observed a new downloader in the wild that we\nand other researchers are calling “GuLoader.” Our researchers first observed GuLoader\nin late December 2019 being used to deliver Parallax RAT, which itself had recently\nbeen released. While we regularly observe new loaders, GuLoader has gained popularity\nquickly and is in active use by multiple threat actors. GuLoader is a downloader, written\npartly in VB6, which typically stores its encrypted payloads on Google Drive or\nMicrosoft OneDrive (underscoring that threat actors continue to adopt the cloud just like\nlegitimate businesses are).\nGuLoader is a portable executable (PE) file that is often observed embedded in a\ncontainer file such as an .iso or .rar file. We have also observed it being downloaded\ndirectly from various cloud hosting platforms. GuLoader is used predominantly to\ndownload remote access Trojans (RATs) and information stealers such as Agent\nTesla/Origin Logger, Formbook, NanoCore RAT, NetWire RC, RemcosRAT, Ave\nMaria/Warzone RAT and Parallax RAT.\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=835729de-277b-4407-a4a6-4f6ad64b853f\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia\nAlienVault OTX Last change to this tool card: 26 December 2024\nDownload this tool card in JSON format\nAll groups using tool GuLoader\nChanged Name Country Observed\nAPT groups\n DarkCasino [Unknown] 2021\n RATicate [Unknown] 2019\n2 groups listed (2 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=835729de-277b-4407-a4a6-4f6ad64b853f\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=835729de-277b-4407-a4a6-4f6ad64b853f\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=835729de-277b-4407-a4a6-4f6ad64b853f"
	],
	"report_names": [
		"listgroups.cgi?u=835729de-277b-4407-a4a6-4f6ad64b853f"
	],
	"threat_actors": [
		{
			"id": "0bc63952-5795-4fc7-85c1-50a7f207f2f0",
			"created_at": "2023-11-14T02:00:07.095723Z",
			"updated_at": "2026-04-10T02:00:03.450401Z",
			"deleted_at": null,
			"main_name": "DarkCasino",
			"aliases": [],
			"source_name": "MISPGALAXY:DarkCasino",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a5bd315b-6220-441f-8ed1-39e194dcd0e3",
			"created_at": "2023-12-01T02:02:33.667762Z",
			"updated_at": "2026-04-10T02:00:04.641333Z",
			"deleted_at": null,
			"main_name": "DarkCasino",
			"aliases": [
				"Water Hydra"
			],
			"source_name": "ETDA:DarkCasino",
			"tools": [
				"CloudEyE",
				"DarkMe",
				"GuLoader",
				"PikoloRAT",
				"vbdropper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "0d07b30c-4393-4071-82fb-22f51f7749e0",
			"created_at": "2022-10-25T16:07:24.097096Z",
			"updated_at": "2026-04-10T02:00:04.865146Z",
			"deleted_at": null,
			"main_name": "RATicate",
			"aliases": [],
			"source_name": "ETDA:RATicate",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"BetaBot",
				"BlackRAT",
				"BlackRemote",
				"Bladabindi",
				"CloudEyE",
				"ForeIT",
				"Formbook",
				"GuLoader",
				"Jorik",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"NSIS",
				"Negasteal",
				"NetWeird",
				"NetWire",
				"NetWire RAT",
				"NetWire RC",
				"NetWired RC",
				"Neurevt",
				"Nullsoft Scriptable Install System",
				"Origin Logger",
				"Recam",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Socmer",
				"ZPAQ",
				"njRAT",
				"vbdropper",
				"win.xloader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434392,
	"ts_updated_at": 1775791577,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/664528b38d0aeb030317637ed0b388493d254495.pdf",
		"text": "https://archive.orkl.eu/664528b38d0aeb030317637ed0b388493d254495.txt",
		"img": "https://archive.orkl.eu/664528b38d0aeb030317637ed0b388493d254495.jpg"
	}
}