{ "id": "72c7dbe5-75fb-49f4-8b81-04059cee70dd", "created_at": "2026-04-06T00:18:23.866964Z", "updated_at": "2026-04-10T03:37:26.693684Z", "deleted_at": null, "sha1_hash": "6ba2cde615b6a87e68cc58251763e358e3bb8a87", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53488, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:05:09 UTC\n Tool: URLZone\nNames\nURLZone\nBebloh\nShiotob\nCategory Malware\nType Banking trojan, Info stealer, Credential stealer\nDescription\n(FireEye) URLZone is a banking trojan. It downloads a configuration file that contains\ninformation on targeted financial institutions, and uses web injection techniques to steal a\nuser’s banking credentials.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 14 May 2020\nDownload this tool card in JSON format\nAll groups using tool URLZone\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c2c5c377-1ce2-4488-8dc9-300465eb096e\nPage 1 of 2\n\nChanged Name Country Observed\r\nOther groups\r\n  Bamboo Spider, TA544 [Unknown] 2016-Apr 2022\r\n1 group listed (0 APT, 1 other, 0 unknown)\r\n↑\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c2c5c377-1ce2-4488-8dc9-300465eb096e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c2c5c377-1ce2-4488-8dc9-300465eb096e\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c2c5c377-1ce2-4488-8dc9-300465eb096e" ], "report_names": [ "listgroups.cgi?u=c2c5c377-1ce2-4488-8dc9-300465eb096e" ], "threat_actors": [ { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a8107a-f669-41af-ba79-41b1cbdc4654", "created_at": "2023-01-06T13:46:39.228649Z", "updated_at": "2026-04-10T02:00:03.25247Z", "deleted_at": null, "main_name": "BAMBOO SPIDER", "aliases": [], "source_name": "MISPGALAXY:BAMBOO SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434703, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6ba2cde615b6a87e68cc58251763e358e3bb8a87.pdf", "text": "https://archive.orkl.eu/6ba2cde615b6a87e68cc58251763e358e3bb8a87.txt", "img": "https://archive.orkl.eu/6ba2cde615b6a87e68cc58251763e358e3bb8a87.jpg" } }