{ "id": "78257210-c211-4cdb-aa08-6c2395975c16", "created_at": "2026-04-06T00:19:14.506455Z", "updated_at": "2026-04-10T03:25:18.474749Z", "deleted_at": null, "sha1_hash": "7c527651260a24a1f713708099ff096fa609748d", "title": "Guru Spider - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50248, "plain_text": "Guru Spider - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:25:12 UTC\n Other threat group: Guru Spider\nNames Guru Spider (CrowdStrike)\nCountry Russia\nMotivation Financial gain\nFirst seen 2014\nDescription\n(Forcepoint) Quant is not new or a very novel piece of malware: we covered the\nbasics of it last year when it was first advertised by its creator, MrRaiX, and began\nto emerge in the wild. However, analysis of the newly obtained samples quickly\nrevealed some differences to the previously documented Quant-based Locky and\nPony campaigns. Further, these newest samples all appeared to attempt to download\nthe same payload files from the C2 server after their initial connection.\nObserved Countries: Worldwide.\nTools used\nMadness PRO DDoS, MBS BTC Stealer, MKL Pro Keylogger, Quant Loader,\nZ*Stealer.\nOperations performed\nSep 2016\nOn September 1, 2016 a new trojan downloader became available to\npurchase on various Russian underground forums. Named 'Quant\nLoader' by its creator, the downloader has already been used to\ndistribute the Locky Zepto crypto-ransomware, and Pony (aka Fareit)\nmalware families.\nMar 2018\nQuantLoader is a Trojan downloader that has been available for sale\non underground forums for quite some time now. It has been used in\ncampaigns serving a range of malware, including ransomware,\nBanking Trojans, and RATs. The campaign that we are going to\nanalyze is serving a BackDoor.\nMar 2018 Barracuda Threat Spotlight: New URL File Outbreak Could be a\nRansomware Attempt\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=37981739-ee01-4d4f-aa5f-aa1c76d23b0d\nPage 1 of 2\n\nInformation\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=37981739-ee01-4d4f-aa5f-aa1c76d23b0d\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=37981739-ee01-4d4f-aa5f-aa1c76d23b0d\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=37981739-ee01-4d4f-aa5f-aa1c76d23b0d" ], "report_names": [ "showcard.cgi?u=37981739-ee01-4d4f-aa5f-aa1c76d23b0d" ], "threat_actors": [ { "id": "64ac8ebd-4cd6-410b-83f3-f3ef25b59156", "created_at": "2022-10-25T16:07:24.494373Z", "updated_at": "2026-04-10T02:00:05.009827Z", "deleted_at": null, "main_name": "Guru Spider", "aliases": [], "source_name": "ETDA:Guru Spider", "tools": [ "MBS BTC Stealer", "MKL Pro Keylogger", "Madness PRO DDoS", "Quant Loader", "QuantLoader", "Z*Stealer", "ZStealer" ], "source_id": "ETDA", "reports": null }, { "id": "bc28c4ad-2d4b-47f4-8303-7360a9e72570", "created_at": "2023-01-06T13:46:38.900931Z", "updated_at": "2026-04-10T02:00:03.13942Z", "deleted_at": null, "main_name": "GURU SPIDER", "aliases": [], "source_name": "MISPGALAXY:GURU SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434754, "ts_updated_at": 1775791518, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7c527651260a24a1f713708099ff096fa609748d.pdf", "text": "https://archive.orkl.eu/7c527651260a24a1f713708099ff096fa609748d.txt", "img": "https://archive.orkl.eu/7c527651260a24a1f713708099ff096fa609748d.jpg" } }