{ "id": "8795aa99-0b0a-4aa1-876b-034ebc7e491b", "created_at": "2026-04-06T00:18:38.161776Z", "updated_at": "2026-04-10T03:35:42.335741Z", "deleted_at": null, "sha1_hash": "868a4c149e9b7951c71659e2c3def1e47d090cc8", "title": "Sprite Spider, Gold Dupont - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 67396, "plain_text": "Sprite Spider, Gold Dupont - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 20:10:19 UTC\nHome \u003e List all groups \u003e Sprite Spider, Gold Dupont\n APT group: Sprite Spider, Gold Dupont\nNames\nSprite Spider (CrowdStrike)\nGold Dupont (SecureWorks)\nCountry [Unknown]\nMotivation Financial crime, Financial gain\nFirst seen 2015\nDescription\n(CrowdStrike) In 2020, CrowdStrike Intelligence observed both SPRITE SPIDER (the operators of Defray777) and C\nAnunak (the operators of DarkSide) deploy Linux versions of their respective ransomware families on ESXi hosts du\noperations. While ransomware for Linux has existed for many years, BGH actors have historically not targeted Linux\nESXi specifically. ESXi is a type of hypervisor that runs on dedicated hardware and manages multiple virtual machin\nWith more organizations migrating to virtualization solutions to consolidate legacy IT systems, this is a natural targe\nransomware operators looking to increase the impact against a victim.\nAll identified incidents were enabled by the acquisition of valid credentials. In four separate Defray777 incidents, SP\nSPIDER used administrator credentials to log in through the vCenter web interface. In one instance, SPRITE SPIDE\nthe PyXie remote access trojan (RAT) LaZagne module to harvest vCenter administrator credentials stored in a web b\nBy targeting these hosts, ransomware operators are able to quickly encrypt multiple systems with relatively few actu\nransomware deployments. Encrypting one ESXi server inflicts the same amount of damage as individually deploying\non each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operat\nAdditionally, due to their lack of conventional operating systems, ESXi hosts lack endpoint protection software that c\nor detect ransomware attacks.\nObserved Sectors: Education, Healthcare, Manufacturing, Technology.\nTools used Cobalt Strike, Defray777, LaZagne, Metasploit, PyXie, SharpHound, Shifu, SystemBC, Vatet.\nOperations performed\nAug 2017\nNew Defray Ransomware Targets Education and Healthcare Verticals\nMay 2020\nTexas Courts hit by ransomware, network disabled to limit spread\nJun 2020\nNew Ransom X Ransomware used in Texas TxDOT cyberattack\nAug 2020\nBusiness technology giant Konica Minolta hit by new ransomware\nSep 2020\nSoftServe hit by ransomware, Windows customization tool exploited\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=20947960-7770-472c-8152-4f88a1f7ea69\nPage 1 of 2\n\nSep 2020\nLeading U.S. laser developer IPG Photonics hit with ransomware\nSep 2020\nGovernment software provider Tyler Technologies hit by ransomware\nOct 2020\nMontreal's STM public transport system hit by ransomware attack\nNov 2020\nBrazil's court system under massive RansomExx ransomware attack\nNov 2020\nRansomExx ransomware also encrypts Linux systems\nFeb 2021\nHypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ran\nMaximize Impact\nAug 2021\nRansomEXX ransomware leaks files stolen from Italian luxury brand Zegna\nAug 2021\nComputer hardware giant GIGABYTE hit by RansomEXX ransomware\nAug 2021\nRansomware hits Lojas Renner, Brazil’s largest clothing store chain\nMar 2022\nRansomware group attacks Scottish mental health charity\nOct 2022\nRansomExx Leaks 52GB of Barcelona Health Centers' Data\nInformation\nLast change to this card: 27 December 2022\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=20947960-7770-472c-8152-4f88a1f7ea69\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=20947960-7770-472c-8152-4f88a1f7ea69\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=20947960-7770-472c-8152-4f88a1f7ea69" ], "report_names": [ "showcard.cgi?u=20947960-7770-472c-8152-4f88a1f7ea69" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434718, "ts_updated_at": 1775792142, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/868a4c149e9b7951c71659e2c3def1e47d090cc8.pdf", "text": "https://archive.orkl.eu/868a4c149e9b7951c71659e2c3def1e47d090cc8.txt", "img": "https://archive.orkl.eu/868a4c149e9b7951c71659e2c3def1e47d090cc8.jpg" } }