{
	"id": "e474324b-f671-41ae-a7c0-56f0993f82b9",
	"created_at": "2026-04-06T00:09:43.102021Z",
	"updated_at": "2026-04-10T13:12:08.672601Z",
	"deleted_at": null,
	"sha1_hash": "943e2c160825d67cde915b5110762a8b9ee83650",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57547,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:28:06 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Ramsay\n Tool: Ramsay\nNames Ramsay\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Exfiltration, Worm\nDescription\n(ESET) ESET researchers have discovered a previously unreported cyber-espionage\nframework that we named Ramsay and that is tailored for collection and exfiltration of\nsensitive documents and is capable of operating within air-apped networks.\nRamsay’s architecture provides a series of capabilities monitored via a logging\nmechanism intended to assist operators by supplying a feed of actionable intelligence to\nconduct exfiltration, control, and lateral movement actions, as well as providing overall\nbehavioral and system statistics of each compromised system. The realization of these\nactions is possible due to the following capabilities:\n• File collection and covert storage\n• Command execution\n• Spreading\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Ramsay\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=31f37051-bd42-48ce-bfaf-3dcef73fc18f\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  DarkHotel 2007-2023  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=31f37051-bd42-48ce-bfaf-3dcef73fc18f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=31f37051-bd42-48ce-bfaf-3dcef73fc18f\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=31f37051-bd42-48ce-bfaf-3dcef73fc18f"
	],
	"report_names": [
		"listgroups.cgi?u=31f37051-bd42-48ce-bfaf-3dcef73fc18f"
	],
	"threat_actors": [
		{
			"id": "1dadf04e-d725-426f-9f6c-08c5be7da159",
			"created_at": "2022-10-25T15:50:23.624538Z",
			"updated_at": "2026-04-10T02:00:05.286895Z",
			"deleted_at": null,
			"main_name": "Darkhotel",
			"aliases": [
				"Darkhotel",
				"DUBNIUM",
				"Zigzag Hail"
			],
			"source_name": "MITRE:Darkhotel",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b13c19d6-247d-47ba-86ba-15a94accc179",
			"created_at": "2024-05-01T02:03:08.149923Z",
			"updated_at": "2026-04-10T02:00:03.763147Z",
			"deleted_at": null,
			"main_name": "TUNGSTEN BRIDGE",
			"aliases": [
				"APT-C-06 ",
				"ATK52 ",
				"CTG-1948 ",
				"DUBNIUM ",
				"DarkHotel ",
				"Fallout Team ",
				"Shadow Crane ",
				"Zigzag Hail "
			],
			"source_name": "Secureworks:TUNGSTEN BRIDGE",
			"tools": [
				"Nemim",
				"Tapaoux"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2b4eec94-7672-4bee-acb2-b857d0d26d12",
			"created_at": "2023-01-06T13:46:38.272109Z",
			"updated_at": "2026-04-10T02:00:02.906089Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"T-APT-02",
				"Nemim",
				"Nemin",
				"Shadow Crane",
				"G0012",
				"DUBNIUM",
				"Karba",
				"APT-C-06",
				"SIG25",
				"TUNGSTEN BRIDGE",
				"Zigzag Hail",
				"Fallout Team",
				"Luder",
				"Tapaoux",
				"ATK52"
			],
			"source_name": "MISPGALAXY:DarkHotel",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c0cedde3-5a9b-430f-9b77-e6568307205e",
			"created_at": "2022-10-25T16:07:23.528994Z",
			"updated_at": "2026-04-10T02:00:04.642473Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"APT-C-06",
				"ATK 52",
				"CTG-1948",
				"Dubnium",
				"Fallout Team",
				"G0012",
				"G0126",
				"Higaisa",
				"Luder",
				"Operation DarkHotel",
				"Operation Daybreak",
				"Operation Inexsmar",
				"Operation PowerFall",
				"Operation The Gh0st Remains the Same",
				"Purple Pygmy",
				"SIG25",
				"Shadow Crane",
				"T-APT-02",
				"TieOnJoe",
				"Tungsten Bridge",
				"Zigzag Hail"
			],
			"source_name": "ETDA:DarkHotel",
			"tools": [
				"Asruex",
				"DarkHotel",
				"DmaUp3.exe",
				"GreezeBackdoor",
				"Karba",
				"Nemain",
				"Nemim",
				"Ramsay",
				"Retro",
				"Tapaoux",
				"Trojan.Win32.Karba.e",
				"Virus.Win32.Pioneer.dx",
				"igfxext.exe",
				"msieckc.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434183,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/943e2c160825d67cde915b5110762a8b9ee83650.pdf",
		"text": "https://archive.orkl.eu/943e2c160825d67cde915b5110762a8b9ee83650.txt",
		"img": "https://archive.orkl.eu/943e2c160825d67cde915b5110762a8b9ee83650.jpg"
	}
}