{ "id": "2d1a3fab-5486-493b-9127-0855e206ad9f", "created_at": "2026-04-06T00:06:40.397045Z", "updated_at": "2026-04-10T03:36:36.882144Z", "deleted_at": null, "sha1_hash": "79cb6e0054a9e326e1fcbf01bbdf7b1672df7f26", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46622, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:36:47 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Snatch\n Tool: Snatch\nNames Snatch\nCategory Malware\nType Ransomware\nDescription\nSnatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the\nexisting security protections do not run in Safe Mode so that it the malware can act without\nexpected countermeasures and it can encrypt as many files as it finds. It uses common packers\nsuch as UPX to hide its payload.\nInformation\nMalpedia Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool Snatch\nChanged Name Country Observed\nAPT groups\n TA505, Graceful Spider, Gold Evergreen 2006-Nov 2022\nOther groups\n TA554 [Unknown] 2017\n2 groups listed (1 APT, 1 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a338ae80-2971-4968-b679-0bd59ceb9906\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a338ae80-2971-4968-b679-0bd59ceb9906\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a338ae80-2971-4968-b679-0bd59ceb9906\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a338ae80-2971-4968-b679-0bd59ceb9906" ], "report_names": [ "listgroups.cgi?u=a338ae80-2971-4968-b679-0bd59ceb9906" ], "threat_actors": [ { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "a3808e4f-c7fd-4d25-aa84-aacc27061826", "created_at": "2023-01-06T13:46:39.316216Z", "updated_at": "2026-04-10T02:00:03.285437Z", "deleted_at": null, "main_name": "TA554", "aliases": [ "TH-163" ], "source_name": "MISPGALAXY:TA554", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ada819f-dec0-4de4-97eb-0a8aff899c56", "created_at": "2023-01-06T13:46:39.225531Z", "updated_at": "2026-04-10T02:00:03.251546Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [], "source_name": "MISPGALAXY:GOLD EVERGREEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9be98f84-4a93-41c7-90bd-3ea66ba5bfd7", "created_at": "2022-10-25T16:07:24.581954Z", "updated_at": "2026-04-10T02:00:05.040995Z", "deleted_at": null, "main_name": "TA554", "aliases": [ "TH-163" ], "source_name": "ETDA:TA554", "tools": [ "DarkVNC", "Godzilla", "Godzilla Loader", "Gootkit", "Gootloader", "Gozi ISFB", "ISFB", "LOLBAS", "LOLBins", "Living off the Land", "Nimnul", "Pandemyia", "PsiX", "PsiXBot", "Ramnit", "StarsLord", "Waldek", "Xswkit", "sLoad", "talalpek" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434000, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/79cb6e0054a9e326e1fcbf01bbdf7b1672df7f26.pdf", "text": "https://archive.orkl.eu/79cb6e0054a9e326e1fcbf01bbdf7b1672df7f26.txt", "img": "https://archive.orkl.eu/79cb6e0054a9e326e1fcbf01bbdf7b1672df7f26.jpg" } }