{ "id": "cfca59f5-dc72-40aa-a974-ce0dfe2432f8", "created_at": "2026-04-06T00:14:22.264738Z", "updated_at": "2026-04-10T13:12:27.17124Z", "deleted_at": null, "sha1_hash": "93424a99132b971b9f1192a40bd111aaf47cfe54", "title": "Traveling Spider - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 81339, "plain_text": "Traveling Spider - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 13:58:38 UTC\nHome \u003e List all groups \u003e Traveling Spider\n APT group: Traveling Spider\nNames\nTraveling Spider (CrowdStrike)\nGold Mansard (SecureWorks)\nCountry [Unknown]\nMotivation Financial gain\nFirst seen 2019\nDescription\n(BleepingComputer) A new ransomware has been spotted over the weekend,\ncarrying references to the Russian president and antivirus software. The researchers\ncall it Nemty.\nThis is the first version of Nemty ransomware, named so after the extension it adds\nto the files following the encryption process.\nObserved\nCountries: Argentina, Algeria, Austria, Belgium, Bhutan, Bolivia, Brazil, Canada,\nChile, China, Czech, Denmark, Ecuador, Egypt, Estonia, France, Germany, Ghana,\nGuatemala, Guinea, Hungary, India, Indonesia, Iran, Italy, Japan, Latvia, Libya,\nLithuania, Luxembourg, Malaysia, Morocco, Nepal, Netherlands, Niger, Pakistan,\nPhilippines, Poland, Portugal, Russia, Slovakia, South Africa, South Korea, Spain,\nSweden, Thailand, Turkey, UAE, UK, Ukraine, USA, Venezuela, Vietnam.\nTools used\n7-Zip, AdFind, BloodHound, LaZagne, MEGAsync, Mimikatz, Nefilim, Nemty,\nNetwork Password Recovery, PsExec, smbtool.\nOperations performed\nSep 2019\nNemty Ransomware Update Lets It Kill Processes and Services\nSep 2019\nFake PayPal Site Spreads Nemty Ransomware\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f0596c9f-822f-4e3c-b2af-fc50630e6ec0\nPage 1 of 3\n\nSep 2019\nNemty Ransomware Gets Distribution from RIG Exploit Kit\nOct 2019\nNemty 1.6 Ransomware Released and Pushed via RIG Exploit Kit\nNov 2019\nNemty Ransomware Expands Its Reach, Also Delivered by Trik\nBotnet\nJan 2020\nNemty Ransomware to Start Leaking Non-Paying Victim's Data\nFeb 2020\nNemty Ransomware Actively Distributed via 'Love Letter' Spam\nMar 2020\nNemty Ransomware Punishes Victims by Posting Their Stolen Data\nMar 2020\nNew Nefilim Ransomware Threatens to Release Victims' Data\nApr 2020\nNemty ransomware operation shuts down public RaaS\nMay 2020\nToll Group hit by ransomware a second time, deliveries affected\nMay 2020\nBeyonce and Victoria's Secret lingerie maker targeted by extortionists\nJun 2020\nNefilim Hackers Publish Oil Firm Data Online and Continue\nDisruptive Campaign\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f0596c9f-822f-4e3c-b2af-fc50630e6ec0\nPage 2 of 3\n\nJul 2020\nOrange confirms ransomware attack exposing business customers'\ndata\nJul 2020\nBusiness giant Dussmann Group's data leaked after ransomware\nattack\nNov 2020\nLuxottica data breach exposes 820K EyeMed, LensCrafters patients\nDec 2020\nHome appliance giant Whirlpool hit in Nefilim ransomware attack\nJan 2021\nNefilim Ransomware Attack Uses “Ghost” Credentials\nMar 2021\nThe Nefilim Ransomware Group Has Hit ‘Spirit Airlines’\nInformation\nLast change to this card: 10 August 2021\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f0596c9f-822f-4e3c-b2af-fc50630e6ec0\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f0596c9f-822f-4e3c-b2af-fc50630e6ec0\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f0596c9f-822f-4e3c-b2af-fc50630e6ec0" ], "report_names": [ "showcard.cgi?u=f0596c9f-822f-4e3c-b2af-fc50630e6ec0" ], "threat_actors": [ { "id": "8b7faa58-947b-4530-ab1f-250a0370aabf", "created_at": "2022-10-25T16:07:24.34248Z", "updated_at": "2026-04-10T02:00:04.945921Z", "deleted_at": null, "main_name": "Traveling Spider", "aliases": [ "Gold Mansard" ], "source_name": "ETDA:Traveling Spider", "tools": [ "7-Zip", "AdFind", "LaZagne", "MEGAsync", "Mimikatz", "Nefilim", "Nemty", "Nephilim", "Network Password Recovery", "PsExec", "smbtool" ], "source_id": "ETDA", "reports": null }, { "id": "1c76f1b6-a05b-4dba-82ea-07011b47c6cd", "created_at": "2023-01-06T13:46:39.201507Z", "updated_at": "2026-04-10T02:00:03.244851Z", "deleted_at": null, "main_name": "TRAVELING SPIDER", "aliases": [], "source_name": "MISPGALAXY:TRAVELING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99536b94-7e83-4eee-a81b-32ce2d4876c4", "created_at": "2023-01-06T13:46:39.263426Z", "updated_at": "2026-04-10T02:00:03.265475Z", "deleted_at": null, "main_name": "GOLD MANSARD", "aliases": [], "source_name": "MISPGALAXY:GOLD MANSARD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8a18941c-3b19-4359-984c-6806ad71a79a", "created_at": "2022-10-25T16:47:55.791594Z", "updated_at": "2026-04-10T02:00:03.692054Z", "deleted_at": null, "main_name": "GOLD MANSARD", "aliases": [ "" ], "source_name": "Secureworks:GOLD MANSARD", "tools": [ "ADFind", "Cobalt Strike", "MEGAsync", "Mimikatz", "Nefilim", "Nemty" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434462, "ts_updated_at": 1775826747, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93424a99132b971b9f1192a40bd111aaf47cfe54.pdf", "text": "https://archive.orkl.eu/93424a99132b971b9f1192a40bd111aaf47cfe54.txt", "img": "https://archive.orkl.eu/93424a99132b971b9f1192a40bd111aaf47cfe54.jpg" } }