{ "id": "9e27ed7e-c3ec-407f-9b59-07e5054b511d", "created_at": "2026-04-06T00:17:05.468497Z", "updated_at": "2026-04-10T03:36:36.835138Z", "deleted_at": null, "sha1_hash": "911e98944f7ef97dc87595d2bb8a7883efeaf7ee", "title": "Buhtrap, Ratopak Spider - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60463, "plain_text": "Buhtrap, Ratopak Spider - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 21:10:00 UTC\r\nHome \u003e List all groups \u003e Buhtrap, Ratopak Spider\r\n APT group: Buhtrap, Ratopak Spider\r\nNames\r\nBuhtrap (Group-IB)\r\nRatopak Spider (CrowdStrike)\r\nUAC-0008 (CERT-UA)\r\nCountry Russia\r\nMotivation Financial crime\r\nFirst seen 2015\r\nDescription\r\n(Group-IB) Buhtrap has been active since 2014, however their first attacks against\r\nfinancial institutions were only detected in August 2015. Earlier, the group had only\r\nfocused on targeting banking clients. At the moment, the group is known to target\r\nRussian and Ukrainian banks.\r\nFrom August 2015 to February 2016 Buhtrap managed to conduct 13 successful\r\nattacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln).\r\nThe number of successful attacks against Ukrainian banks has not been identified.\r\nBuhtrap is the first hacker group using a network worm to infect the overall bank\r\ninfrastructure that significantly increases the difficulty of removing all malicious\r\nfunctions from the network. As a result, banks have to shut down the whole\r\ninfrastructure which provokes delay in servicing customers and additional losses.\r\nMalicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR).\r\nWe have not identified incidents of attacks involving online money transfer systems,\r\nATM machines or payment gates which are known to be of interest for other\r\ncriminal groups.\r\nBuhtrap has some infrastructure overlap with TA505, Graceful Spider, Gold\r\nEvergreen.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=30df5485-c9bd-4d36-a685-4f202162e323\r\nPage 1 of 3\n\nObserved\nSectors: Financial, Government.\nCountries: Russia, Ukraine.\nTools used Buhtrap, FlawedAmmyy, Niteris EK, NSIS.\nOperations performed\n2014\nOn October 20, 2014 we notified Group-IB Bot-Trek Intelligence\nsubscribers about phishing emails which were sent from the\ninfo@beeline-mail.ru address with the subject “Invoice No 522375-\nФЛОРЛ-14-115” (pic. 1). The beeline-mail.ru domain name was also\nregistered on October 20, 2014.\nOct 2015\nWe noticed in late October that users visiting the Ammyy website to\ndownload the free version of its remote administrator software were\nbeing served a bundle containing not only the legitimate Remote\nDesktop Software Ammyy Admin, but also an NSIS (Nullsoft\nScriptable Installation Software) installer ultimately intended to install\nthe tools used by the Buhtrap gang to spy on and control their victims’\ncomputers.\nDec 2015\nIn December 2015, employees from several Russian banks were\ntargeted with spoofed emails, a common technique in attack\ncampaigns. The emails were made to look like they were from the\nCentral Bank of Russia and offered employment to their recipients.\nInstead of being an actual employment offer, the emails were an\nattempt to deliver Trojan.Ratopak onto the target’s computer.\nSep 2016\nBreach of the Russian boxing site allboxing[.].ru\n2017\nOperation “TwoBee”\nBuhtrap resurfaced in the beginning of 2017 in the TwoBee campaign,\nwhere it served primarily as means of malware delivery. In March of\nlast year, it hit the news (literally), spreading through several\ncompromised major news outlets in whose main pages malicious actors\nimplanted scripts. This scripts executed an exploit for Internet Explorer\nin visitor’s browsers.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=30df5485-c9bd-4d36-a685-4f202162e323\nPage 2 of 3\n\nJun 2019\nThroughout our tracking, we’ve seen this group deploy its main\nbackdoor as well as other tools against various victims, but June 2019\nwas the first time we saw the Buhtrap group use a zero-day exploit as\npart of a campaign. In that case, we observed Buhtrap using a local\nprivilege escalation exploit, CVE-2019-1132, against one of its\nvictims.\nInformation\nLast change to this card: 08 April 2022\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=30df5485-c9bd-4d36-a685-4f202162e323\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=30df5485-c9bd-4d36-a685-4f202162e323\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=30df5485-c9bd-4d36-a685-4f202162e323" ], "report_names": [ "showcard.cgi?u=30df5485-c9bd-4d36-a685-4f202162e323" ], "threat_actors": [ { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "8ada819f-dec0-4de4-97eb-0a8aff899c56", "created_at": "2023-01-06T13:46:39.225531Z", "updated_at": "2026-04-10T02:00:03.251546Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [], "source_name": "MISPGALAXY:GOLD EVERGREEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434625, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/911e98944f7ef97dc87595d2bb8a7883efeaf7ee.pdf", "text": "https://archive.orkl.eu/911e98944f7ef97dc87595d2bb8a7883efeaf7ee.txt", "img": "https://archive.orkl.eu/911e98944f7ef97dc87595d2bb8a7883efeaf7ee.jpg" } }