{ "id": "0abb1337-7de2-4d29-a220-a6f27e83e350", "created_at": "2026-04-06T00:16:57.137998Z", "updated_at": "2026-04-10T13:12:54.750664Z", "deleted_at": null, "sha1_hash": "8ab6b53296dcfe0bc0f177246c14186a934e0244", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54199, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:47:54 UTC\r\nHome \u003e List all groups \u003e Andromeda Spider\r\n Other threat group: Andromeda Spider\r\nNames Andromeda Spider (CrowdStrike)\r\nCountry Belarus\r\nMotivation Financial gain\r\nFirst seen 2011\r\nDescription\r\n(Virus Bulletin) Andromeda, also known as Gamaru and Wauchos, is a modular and\r\nHTTP-based botnet that was discovered in late 2011. From that point on, it managed to\r\nsurvive and continue hardening by evolving in different ways. In particular, the\r\ncomplexity of its loader and AV evasion methods increased repeatedly, and C\u0026C\r\ncommunication changed between the different versions as well.\r\nWe deal with versions of this threat on a daily basis and we have collected a number of\r\ndifferent variants. The botnet first came onto our tracking radar at version 2.06, and we\r\nhave tracked the versions since then. In this paper we will describe the evolution of\r\nAndromeda from version 2.06 to 2.10 and demonstrate both how it has improved its\r\nloader to evade automatic analysis/detection and how the payload varies among the\r\ndifferent versions.\r\nThis article could also be seen as a way to say 'goodbye' to the botnet: a takedown\r\neffort, followed by the arrest of the suspected botnet owner in December 2017, may\r\nmean we have seen the last of the botnet that has plagued Internet users for more than\r\nhalf a decade.\r\nThe Andromeda botnet has been observed to be used by Transparent Tribe, APT 36.\r\nObserved Countries: Worldwide.\r\nTools used Andromeda.\r\nCounter operations Nov 2017\r\nAndromeda botnet dismantled in international cyber operation\r\n\u003chttps://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation\u003e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d8893cf-3c8f-4c3f-a9e5-67b29b55937e\r\nPage 1 of 2\n\nInformation\nLast change to this card: 15 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d8893cf-3c8f-4c3f-a9e5-67b29b55937e\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d8893cf-3c8f-4c3f-a9e5-67b29b55937e\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d8893cf-3c8f-4c3f-a9e5-67b29b55937e" ], "report_names": [ "showcard.cgi?u=0d8893cf-3c8f-4c3f-a9e5-67b29b55937e" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "02360638-1e6e-428e-8912-2ffeba84d6d4", "created_at": "2023-01-06T13:46:38.690458Z", "updated_at": "2026-04-10T02:00:03.069409Z", "deleted_at": null, "main_name": "ANDROMEDA SPIDER", "aliases": [], "source_name": "MISPGALAXY:ANDROMEDA SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05dc568a-6039-476a-8175-a396cdc79fa7", "created_at": "2022-10-25T16:07:24.447328Z", "updated_at": "2026-04-10T02:00:04.995568Z", "deleted_at": null, "main_name": "Andromeda Spider", "aliases": [], "source_name": "ETDA:Andromeda Spider", "tools": [ "Andromeda", "B106-Gamarue", "B67-SS-Gamarue", "Gamarue", "b66" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434617, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8ab6b53296dcfe0bc0f177246c14186a934e0244.pdf", "text": "https://archive.orkl.eu/8ab6b53296dcfe0bc0f177246c14186a934e0244.txt", "img": "https://archive.orkl.eu/8ab6b53296dcfe0bc0f177246c14186a934e0244.jpg" } }