{ "id": "2b706d2d-d62a-4bb4-b897-b1b249d16b3e", "created_at": "2026-04-06T00:15:13.817947Z", "updated_at": "2026-04-10T03:25:40.561901Z", "deleted_at": null, "sha1_hash": "80738ce8b6a284fc3ca802834855ee8ae07589a6", "title": "Circus Spider - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65711, "plain_text": "Circus Spider - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:02:24 UTC\nNamesCircus Spider (CrowdStrike) Country[Unknown] MotivationFinancial gain First seen2019\nDescription(Carbon Black) MailTo is a ransomware variant that has recently been reported to have been part of a\ntargeted attack against Toll Group, an Australian freight and logistics company. This ransomware makes no\nattempt to remain stealthy, and quickly encrypts the user’s data as soon as the ransomware is launched. Once the\nencryption phase completes, the encrypted files are renamed to contain the word “mailto”, which is where the\nname originated from. ObservedSectors: Education, Energy, Government, Healthcare, Manufacturing, Shipping\nand Logistics, Transportation.\nCountries: Argentina, Australia, Austria, Belgium, Brazil, Canada, Chile, China, Colombia, France, Germany,\nGuatemala, Hungary, India, Iran, Ireland, Italy, Luxembourg, Malaysia, Netherlands, New Zealand, Nicaragua,\nNigeria, Norway, Pakistan, Poland, Russia, Saudi Arabia, South Africa, Spain, Sweden, Thailand, Ukraine, USA,\nVietnam. Tools usedNetWalker. Operations performedFeb 2020Ransomware Attack Hinders Toll Group\nOperations\nMar 2020Netwalker\nRansomware Infecting Users via Coronavirus Phishing\nMar 2020Spanish hospitals targeted with coronavirus-themed phishing lures in Netwalker ransomware\nattacks\nMay 2020Michigan State\nUniversity hit by ransomware gang\nMay 2020Ransomware\nrecruits affiliates with huge payouts, automated leaks\nJun 2020Netwalker ransomware continues assault on US colleges, hits UCSF\nJun 2020Philadelphia-area health system says it 'isolated' a malware attack\nJul 2020Netwalker\nRansomware Stole Data After Targeting Lorien Health Services\nSep 2020Netwalker ransomware hits Pakistan's largest private power utility\nSep 2020Netwalker ransomware hits Argentinian government, demands $4 million\nSep 2020Cyber threat startup Cygilant hit by ransomware\nSep 2020Equinix data center giant hit by Netwalker\nRansomware, $4.5M ransom\nOct 2020Enel Group hit by ransomware again, Netwalker demands $14 million\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0de32c9a-cacb-4de5-84c5-866625288f24\nPage 1 of 2\n\nCounter operationsJan 2021Department of Justice Launches Global Action Against NetWalker\nRansomware\nFeb\n2022NetWalker ransomware affiliate sentenced to seven years in prison\nDec\n2024Romanian Netwalker ransomware affiliate sentenced to 20 years in prison\nInformation Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0de32c9a-cacb-4de5-84c5-866625288f24\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0de32c9a-cacb-4de5-84c5-866625288f24\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0de32c9a-cacb-4de5-84c5-866625288f24" ], "report_names": [ "showcard.cgi?u=0de32c9a-cacb-4de5-84c5-866625288f24" ], "threat_actors": [ { "id": "53201ab8-30d2-4722-816e-f914604e78df", "created_at": "2022-10-25T16:07:23.466825Z", "updated_at": "2026-04-10T02:00:04.620188Z", "deleted_at": null, "main_name": "Circus Spider", "aliases": [], "source_name": "ETDA:Circus Spider", "tools": [ "Koko Ransomware", "MailTo", "NetWalker" ], "source_id": "ETDA", "reports": null }, { "id": "373d61cc-32a0-4c0c-b48b-ff9e3f1357ac", "created_at": "2023-01-06T13:46:39.222456Z", "updated_at": "2026-04-10T02:00:03.250483Z", "deleted_at": null, "main_name": "CIRCUS SPIDER", "aliases": [], "source_name": "MISPGALAXY:CIRCUS SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434513, "ts_updated_at": 1775791540, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/80738ce8b6a284fc3ca802834855ee8ae07589a6.pdf", "text": "https://archive.orkl.eu/80738ce8b6a284fc3ca802834855ee8ae07589a6.txt", "img": "https://archive.orkl.eu/80738ce8b6a284fc3ca802834855ee8ae07589a6.jpg" } }