{
	"id": "7ce47c4e-134a-41a7-a0c8-a1de511d156c",
	"created_at": "2026-04-06T00:17:29.486007Z",
	"updated_at": "2026-04-10T03:35:12.552518Z",
	"deleted_at": null,
	"sha1_hash": "8b7d1a3a42dbefbfe9c0f589959bca49dd9b9281",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47027,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:43:30 UTC\n APT group: RTM\nNames\nRTM (ESET)\nG0048 (MITRE)\nCountry Russia\nMotivation Financial crime\nFirst seen 2015\nDescription\n(ESET) There are several groups actively and profitably targeting businesses in Russia.\nA trend that we have seen unfold before our eyes lately is these cybercriminals’ use of\nsimple backdoors to gain a foothold in their targets’ networks. Once they have this\naccess, a lot of the work is done manually, slowly getting to understand the network\nlayout and deploying custom tools the criminals can use to steal funds from these\nentities. Some of the groups that best exemplify these trends are Buhtrap, Ratopak\nSpider, Cobalt Group and Corkow, Metel.\nThe group discussed in this white paper is part of this new trend. We call this new group\nRTM; it uses custom malware, written in Delphi, that we cover in detail in later sections.\nThe first trace of this tool in our telemetry data dates back to late 2015. The group also\nmakes use of several different modules that they deploy where appropriate to their\ntargets. They are interested in users of remote banking systems (RBS), mainly in Russia\nand neighboring countries.\nThat this group is mostly targeting businesses is apparent from the processes they are\nlooking for on a compromised system. They look for software that is usually only\ninstalled on accountants’ computers, such as remote banking software or tools to help\nwith accounts pay.\nObserved Countries: Czech, Germany, Kazakhstan, Russia, Ukraine.\nTools used AtNow, RTM.\nInformation MITRE ATT\u0026CK Last change to this card: 16 August 2025\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=72d3f856-6883-4840-bf43-a3dd24c61bbc\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=72d3f856-6883-4840-bf43-a3dd24c61bbc\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=72d3f856-6883-4840-bf43-a3dd24c61bbc\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=72d3f856-6883-4840-bf43-a3dd24c61bbc"
	],
	"report_names": [
		"showcard.cgi?u=72d3f856-6883-4840-bf43-a3dd24c61bbc"
	],
	"threat_actors": [
		{
			"id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa",
			"created_at": "2022-10-25T16:07:23.494355Z",
			"updated_at": "2026-04-10T02:00:04.629595Z",
			"deleted_at": null,
			"main_name": "Corkow",
			"aliases": [
				"Corkow",
				"Metel"
			],
			"source_name": "ETDA:Corkow",
			"tools": [
				"Corkow",
				"Metel"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6a99bf81-8ed4-4233-82e2-575e4f9bf282",
			"created_at": "2022-10-25T16:07:24.137248Z",
			"updated_at": "2026-04-10T02:00:04.877854Z",
			"deleted_at": null,
			"main_name": "RTM",
			"aliases": [
				"G0048"
			],
			"source_name": "ETDA:RTM",
			"tools": [
				"AtNow",
				"RTM",
				"RTM Banker",
				"Redaman"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "01d569b1-f089-4a8f-8396-85078b93da26",
			"created_at": "2023-01-06T13:46:38.411615Z",
			"updated_at": "2026-04-10T02:00:02.963422Z",
			"deleted_at": null,
			"main_name": "BuhTrap",
			"aliases": [],
			"source_name": "MISPGALAXY:BuhTrap",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb",
			"created_at": "2022-10-25T16:07:23.427162Z",
			"updated_at": "2026-04-10T02:00:04.594113Z",
			"deleted_at": null,
			"main_name": "Buhtrap",
			"aliases": [
				"Buhtrap",
				"Operation TwoBee",
				"Ratopak Spider",
				"UAC-0008"
			],
			"source_name": "ETDA:Buhtrap",
			"tools": [
				"AmmyyRAT",
				"Buhtrap",
				"CottonCastle",
				"FlawedAmmyy",
				"NSIS",
				"Niteris EK",
				"Nullsoft Scriptable Install System",
				"Ratopak"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4593b463-34d3-4dbe-95c6-c347b4e2277b",
			"created_at": "2023-01-06T13:46:38.989804Z",
			"updated_at": "2026-04-10T02:00:03.17325Z",
			"deleted_at": null,
			"main_name": "RTM",
			"aliases": [
				"G0048"
			],
			"source_name": "MISPGALAXY:RTM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51",
			"created_at": "2022-10-25T16:07:23.474746Z",
			"updated_at": "2026-04-10T02:00:04.623746Z",
			"deleted_at": null,
			"main_name": "Cobalt Group",
			"aliases": [
				"ATK 67",
				"Cobalt Gang",
				"Cobalt Spider",
				"G0080",
				"Gold Kingswood",
				"Mule Libra",
				"TAG-CR3"
			],
			"source_name": "ETDA:Cobalt Group",
			"tools": [
				"ATMRipper",
				"ATMSpitter",
				"Agentemis",
				"AmmyyRAT",
				"AtNow",
				"COOLPANTS",
				"CobInt",
				"Cobalt Strike",
				"CobaltStrike",
				"Cyst Downloader",
				"Fareit",
				"FlawedAmmyy",
				"Formbook",
				"Little Pig",
				"Metasploit Stager",
				"Mimikatz",
				"More_eggs",
				"NSIS",
				"Nullsoft Scriptable Install System",
				"Pony Loader",
				"Ripper ATM",
				"SDelete",
				"Siplog",
				"SoftPerfect Network Scanner",
				"SpicyOmelette",
				"Taurus Builder",
				"Taurus Builder Kit",
				"Taurus Loader",
				"Terra Loader",
				"ThreatKit",
				"VenomKit",
				"cobeacon",
				"win.xloader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242",
			"created_at": "2022-10-25T15:50:23.744036Z",
			"updated_at": "2026-04-10T02:00:05.294413Z",
			"deleted_at": null,
			"main_name": "Cobalt Group",
			"aliases": [
				"Cobalt Group",
				"GOLD KINGSWOOD",
				"Cobalt Gang",
				"Cobalt Spider"
			],
			"source_name": "MITRE:Cobalt Group",
			"tools": [
				"Mimikatz",
				"More_eggs",
				"SpicyOmelette",
				"SDelete",
				"Cobalt Strike",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434649,
	"ts_updated_at": 1775792112,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b7d1a3a42dbefbfe9c0f589959bca49dd9b9281.pdf",
		"text": "https://archive.orkl.eu/8b7d1a3a42dbefbfe9c0f589959bca49dd9b9281.txt",
		"img": "https://archive.orkl.eu/8b7d1a3a42dbefbfe9c0f589959bca49dd9b9281.jpg"
	}
}