{ "id": "12ae4d3c-1448-415f-bc26-1e0bb3495f7c", "created_at": "2026-04-06T00:17:27.245173Z", "updated_at": "2026-04-10T13:12:39.487935Z", "deleted_at": null, "sha1_hash": "7e3706b57384dd0a940b8161470f0480d19fb1ff", "title": "Macaw Locker - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45955, "plain_text": "Macaw Locker - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-02 12:30:21 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Macaw Locker\n Tool: Macaw Locker\nNames Macaw Locker\nCategory Malware\nType Ransomware, Big Game Hunting\nDescription\n(Bleeping Computer) The Macaw Locker ransomware will encrypt victims' files and append\nthe .macaw extension to the file name when conducting attacks.\nInformation\nLast change to this tool card: 03 November 2021\nDownload this tool card in JSON format\nAll groups using tool Macaw Locker\nChanged Name Country Observed\nAPT groups\n Indrik Spider 2007-Oct 2024\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=63182a27-ab94-47ee-b314-fb8357069712\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=63182a27-ab94-47ee-b314-fb8357069712\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=63182a27-ab94-47ee-b314-fb8357069712" ], "report_names": [ "listgroups.cgi?u=63182a27-ab94-47ee-b314-fb8357069712" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434647, "ts_updated_at": 1775826759, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e3706b57384dd0a940b8161470f0480d19fb1ff.pdf", "text": "https://archive.orkl.eu/7e3706b57384dd0a940b8161470f0480d19fb1ff.txt", "img": "https://archive.orkl.eu/7e3706b57384dd0a940b8161470f0480d19fb1ff.jpg" } }