{
	"id": "3bcb8f2c-b1bf-41da-a52d-331be0f940a9",
	"created_at": "2026-04-06T03:37:42.424823Z",
	"updated_at": "2026-04-10T13:12:49.591482Z",
	"deleted_at": null,
	"sha1_hash": "85da624792d3412589e98c41517ae86512a9b9ea",
	"title": "SMBAutoBrute - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46321,
	"plain_text": "SMBAutoBrute - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-06 03:11:22 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Invoke-SMBAutoBrute\r\n Tool: Invoke-SMBAutoBrute\r\nNames Invoke-SMBAutoBrute\r\nCategory Tools\r\nType Credential stealer\r\nDescription\r\nOne of my favorite post-ex metasploit modules is smb_login. It's great for running a quick test\r\nusing credentials you've discovered. One of the problems with it is that there is nothing that\r\nprevents you from locking out accounts. Plus, you have to create user list which means\r\ndumping users | cut | sed | awk, blah blah blah.\r\nInformation\r\n\u003chttps://www.shellntel.com/blog/2016/7/7/smart-smb-brute-forcing\u003e\r\n\u003chttps://github.com/Shellntel/scripts/blob/master/Invoke-SMBAutoBrute.ps1\u003e\r\nLast change to this tool card: 24 June 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Invoke-SMBAutoBrute\r\nChanged Name Country Observed\r\nAPT groups\r\n  Wizard Spider, Gold Blackburn 2014-May 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=664b8eb2-3747-4b8d-ae37-7ab489d554a6\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=664b8eb2-3747-4b8d-ae37-7ab489d554a6\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=664b8eb2-3747-4b8d-ae37-7ab489d554a6"
	],
	"report_names": [
		"listgroups.cgi?u=664b8eb2-3747-4b8d-ae37-7ab489d554a6"
	],
	"threat_actors": [
		{
			"id": "f6f91e1c-9202-4497-bf22-9cd5ef477600",
			"created_at": "2023-01-06T13:46:38.86765Z",
			"updated_at": "2026-04-10T02:00:03.12735Z",
			"deleted_at": null,
			"main_name": "WIZARD SPIDER",
			"aliases": [
				"TEMP.MixMaster",
				"GOLD BLACKBURN",
				"DEV-0193",
				"UNC2053",
				"Pistachio Tempest",
				"DEV-0237",
				"Storm-0230",
				"FIN12",
				"Periwinkle Tempest",
				"Storm-0193",
				"Trickbot LLC"
			],
			"source_name": "MISPGALAXY:WIZARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e",
			"created_at": "2024-06-04T02:03:07.799286Z",
			"updated_at": "2026-04-10T02:00:03.606456Z",
			"deleted_at": null,
			"main_name": "GOLD BLACKBURN",
			"aliases": [
				"ITG23 ",
				"Periwinkle Tempest ",
				"Wizard Spider "
			],
			"source_name": "Secureworks:GOLD BLACKBURN",
			"tools": [
				"BazarLoader",
				"Buer Loader",
				"Bumblebee",
				"Dyre",
				"Team9",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3",
			"created_at": "2022-10-25T16:07:24.422115Z",
			"updated_at": "2026-04-10T02:00:04.983298Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"DEV-0193",
				"G0102",
				"Gold Blackburn",
				"Gold Ulrick",
				"Grim Spider",
				"ITG23",
				"Operation BazaFlix",
				"Periwinkle Tempest",
				"Storm-0230",
				"TEMP.MixMaster",
				"Wizard Spider"
			],
			"source_name": "ETDA:Wizard Spider",
			"tools": [
				"AdFind",
				"Agentemis",
				"Anchor_DNS",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"Conti",
				"Diavol",
				"Dyranges",
				"Dyre",
				"Dyreza",
				"Dyzap",
				"Gophe",
				"Invoke-SMBAutoBrute",
				"KEGTAP",
				"LaZagne",
				"LightBot",
				"PowerSploit",
				"PowerTrick",
				"PsExec",
				"Ryuk",
				"SessionGopher",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"TrickMo",
				"Upatre",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446662,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/85da624792d3412589e98c41517ae86512a9b9ea.pdf",
		"text": "https://archive.orkl.eu/85da624792d3412589e98c41517ae86512a9b9ea.txt",
		"img": "https://archive.orkl.eu/85da624792d3412589e98c41517ae86512a9b9ea.jpg"
	}
}