{
	"id": "349248dc-8efe-4840-9cb9-1672a4eaecd6",
	"created_at": "2026-04-06T00:16:57.248778Z",
	"updated_at": "2026-04-10T13:11:23.521827Z",
	"deleted_at": null,
	"sha1_hash": "8730c82301ab4076df168967535b5e89cf879e94",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48675,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:03:37 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Gelup\r\n Tool: Gelup\r\nNames Gelup\r\nCategory Malware\r\nType Downloader\r\nDescription\r\n(Trend Micro) In the same June 20 campaign, we also found another apparently new,\r\nundisclosed malware, which we named “Gelup”. A custom packer was also used to pack\r\nsome variants of this malware. Again, it uses the same packer that TA505 has been using.\r\nThe unpacked payload is written in C++ and basically works as a downloader for another\r\nmalware. What makes Gelup different, however, is its obfuscation technique and UAC-bypassing function bymocking trusted directories (spoofing the file’s execution path in a\r\ntrusted directory), abusing auto-elevated executables, and using the dynamic-link library\r\n(DLL) side-loading technique.\r\nFirst, Gelup resolves most Windows application programming interfaces (APIs) by using\r\nthe hash just before calling it —a common technique used by a lot of malware families.\r\nSecond, the strings in Gelup’s code are decrypted at runtime.\r\nInformation\r\n\u003chttps://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:Gelup\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Gelup\r\nChanged Name Country Observed\r\nAPT groups\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fabed506-43cc-4663-8ad1-586396c8b76a\r\nPage 1 of 2\n\nTA505, Graceful Spider, Gold Evergreen 2006-Nov 2022\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fabed506-43cc-4663-8ad1-586396c8b76a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fabed506-43cc-4663-8ad1-586396c8b76a\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fabed506-43cc-4663-8ad1-586396c8b76a"
	],
	"report_names": [
		"listgroups.cgi?u=fabed506-43cc-4663-8ad1-586396c8b76a"
	],
	"threat_actors": [
		{
			"id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5",
			"created_at": "2022-10-25T16:47:55.740817Z",
			"updated_at": "2026-04-10T02:00:03.678203Z",
			"deleted_at": null,
			"main_name": "GOLD EVERGREEN",
			"aliases": [
				"The Business Club"
			],
			"source_name": "Secureworks:GOLD EVERGREEN",
			"tools": [
				"CryptoLocker",
				"JabberZeus",
				"Pony",
				"Zeus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "8ada819f-dec0-4de4-97eb-0a8aff899c56",
			"created_at": "2023-01-06T13:46:39.225531Z",
			"updated_at": "2026-04-10T02:00:03.251546Z",
			"deleted_at": null,
			"main_name": "GOLD EVERGREEN",
			"aliases": [],
			"source_name": "MISPGALAXY:GOLD EVERGREEN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434617,
	"ts_updated_at": 1775826683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8730c82301ab4076df168967535b5e89cf879e94.pdf",
		"text": "https://archive.orkl.eu/8730c82301ab4076df168967535b5e89cf879e94.txt",
		"img": "https://archive.orkl.eu/8730c82301ab4076df168967535b5e89cf879e94.jpg"
	}
}