{ "id": "17e1d2ef-82dd-41a0-a8a8-dad18a67cf6b", "created_at": "2026-04-06T00:14:31.992595Z", "updated_at": "2026-04-10T03:25:28.136354Z", "deleted_at": null, "sha1_hash": "732af30a60c5f952a582f3e2eda7d86fe5e7fe1e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53229, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:33:58 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Buhtrap\n Tool: Buhtrap\nNames\nBuhtrap\nRatopak\nCategory Malware\nType\nBanking trojan, Backdoor, Keylogger, Credential stealer, Info stealer, Downloader,\nExfiltration\nDescription\n(ESET) The infection vector we have seen consists of Microsoft Word documents sent as\nemail attachments that exploit CVE-2012-0158, a vulnerability in Microsoft Word that\nwas patched three years ago. The images below show two of the decoy documents used in\nthis campaign. The first document, titled “Счет № 522375-ФЛОРЛ-14-115.doc” mimics\nan invoice. The second, aptly titled “kontrakt87.doc”, copies a generic\ntelecommunications service contract from MegaFon, a large Russian mobile phone\noperator.\nThe tools deployed on the victim’s computer allow them to control it remotely and to\nrecord the user’s actions. The malware allows the criminals to install a backdoor, attempt\nto obtain the account password, and even create a new account. They also install a\nkeylogger, a clipboard stealer, a smart card module, and have the capability to download\nand execute additional malware.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 13 May 2020\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7790d629-5724-4da6-8201-e2b031e8c487\nPage 1 of 2\n\nDownload this tool card in JSON format\r\nAll groups using tool Buhtrap\r\nChanged Name Country Observed\r\nAPT groups\r\n  Buhtrap, Ratopak Spider 2015-Jun 2019  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7790d629-5724-4da6-8201-e2b031e8c487\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7790d629-5724-4da6-8201-e2b031e8c487\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7790d629-5724-4da6-8201-e2b031e8c487" ], "report_names": [ "listgroups.cgi?u=7790d629-5724-4da6-8201-e2b031e8c487" ], "threat_actors": [ { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434471, "ts_updated_at": 1775791528, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/732af30a60c5f952a582f3e2eda7d86fe5e7fe1e.pdf", "text": "https://archive.orkl.eu/732af30a60c5f952a582f3e2eda7d86fe5e7fe1e.txt", "img": "https://archive.orkl.eu/732af30a60c5f952a582f3e2eda7d86fe5e7fe1e.jpg" } }