{ "id": "59d47115-8ecd-4322-b6e9-e38f1ff93e7a", "created_at": "2026-04-06T03:37:32.705801Z", "updated_at": "2026-04-10T03:37:23.831574Z", "deleted_at": null, "sha1_hash": "6beff94edbae081df1d2f1ce2dca3d8c06ef1e22", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51427, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 02:12:49 UTC\nHome \u003e List all groups \u003e TA551, Shathak\n Other threat group: TA551, Shathak\nNames\nTA551 (Proofpoint)\nGold Cabin (SecureWorks)\nShathak (?)\nMonster Libra (Palo Alto)\nG0127 (MITRE)\nCountry Russia\nMotivation Financial gain\nFirst seen 2016\nDescription\n(Palo Alto) TA551 (also known as Shathak) is an email-based malware distribution\ncampaign that often targets English-speaking victims. The campaign discussed in\nthis blog has targeted German, Italian and Japanese speakers. TA551 has historically\npushed different families of information-stealing malware like Ursnif and Valak.\nAfter mid-July 2020, this campaign has exclusively pushed IcedID malware, another\ninformation stealer.\nObserved\nTools used BokBot, Gozi, Sliver, Valak.\nOperations performed\nOct 2021\nTA551 Uses ‘SLIVER’ Red Team Tool in New Activity\nJan 2021\nFrom IcedID to Domain Compromise\nInformation\nMITRE ATT\u0026CK https://apt.etda.or.th/cgi-bin/showcard.cgi?u=269da320-1b20-4721-9bd6-17e0a355fe7d\nPage 1 of 2\n\nPlaybook \u003chttps://pan-unit42.github.io/playbook_viewer/?pb=monsterlibra\u003e\r\nLast change to this card: 16 August 2025\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=269da320-1b20-4721-9bd6-17e0a355fe7d\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=269da320-1b20-4721-9bd6-17e0a355fe7d\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=269da320-1b20-4721-9bd6-17e0a355fe7d" ], "report_names": [ "showcard.cgi?u=269da320-1b20-4721-9bd6-17e0a355fe7d" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446652, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6beff94edbae081df1d2f1ce2dca3d8c06ef1e22.pdf", "text": "https://archive.orkl.eu/6beff94edbae081df1d2f1ce2dca3d8c06ef1e22.txt", "img": "https://archive.orkl.eu/6beff94edbae081df1d2f1ce2dca3d8c06ef1e22.jpg" } }