{
	"id": "ace82b40-da4c-4cc2-a899-271230753e6e",
	"created_at": "2026-04-06T00:15:13.482391Z",
	"updated_at": "2026-04-10T13:12:16.920967Z",
	"deleted_at": null,
	"sha1_hash": "952a37813259aeaf97b293109248d881f0264962",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51193,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 15:01:32 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool FlawedGrace\r\n Tool: FlawedGrace\r\nNames\r\nFlawedGrace\r\nGraceWire\r\nCategory Malware\r\nType Backdoor, Downloader\r\nDescription (Proofpoint) FlawedGrace is a remote access trojan (RAT) named after debugging\r\nartifacts (class names) left in the analyzed sample.\r\nThe malware is written in C++. It is a very large program and makes extensive use of\r\nobject-oriented and multithreaded programming techniques. This makes reverse\r\nengineering and debugging the malware both difficult and time consuming. The coding\r\nstyle and techniques suggest that FlawedGrace was not written by the same developer as\r\nServHelper.\r\nFlawedGrace uses a complicated binary protocol for its command and control. It can use\r\na configurable port for communications, but all samples we have observed to date have\r\nused port 443. Figure 8 shows an example of the first four messages between an infected\r\nsystem and C\u0026C server.\r\nFlawedGrace also uses a series of commands, provided below for reference:\r\n• target_remove\r\n• target_update\r\n• target_reboot\r\n• target_module_load\r\n• target_module_load_external\r\n• target_module_unload\r\n• target_download\r\n• target_upload\r\n• target_rdp\r\n• target_passwords\r\n• target_servers\r\n• target_script\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e3f838e-197c-412f-a98d-4b3ad248baa6\r\nPage 1 of 2\n\n• destroy_os\n• desktop_stat\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool FlawedGrace\nChanged Name Country Observed\nAPT groups\n TA505, Graceful Spider, Gold Evergreen 2006-Nov 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e3f838e-197c-412f-a98d-4b3ad248baa6\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e3f838e-197c-412f-a98d-4b3ad248baa6\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e3f838e-197c-412f-a98d-4b3ad248baa6"
	],
	"report_names": [
		"listgroups.cgi?u=2e3f838e-197c-412f-a98d-4b3ad248baa6"
	],
	"threat_actors": [
		{
			"id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5",
			"created_at": "2022-10-25T16:47:55.740817Z",
			"updated_at": "2026-04-10T02:00:03.678203Z",
			"deleted_at": null,
			"main_name": "GOLD EVERGREEN",
			"aliases": [
				"The Business Club"
			],
			"source_name": "Secureworks:GOLD EVERGREEN",
			"tools": [
				"CryptoLocker",
				"JabberZeus",
				"Pony",
				"Zeus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "8ada819f-dec0-4de4-97eb-0a8aff899c56",
			"created_at": "2023-01-06T13:46:39.225531Z",
			"updated_at": "2026-04-10T02:00:03.251546Z",
			"deleted_at": null,
			"main_name": "GOLD EVERGREEN",
			"aliases": [],
			"source_name": "MISPGALAXY:GOLD EVERGREEN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434513,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/952a37813259aeaf97b293109248d881f0264962.pdf",
		"text": "https://archive.orkl.eu/952a37813259aeaf97b293109248d881f0264962.txt",
		"img": "https://archive.orkl.eu/952a37813259aeaf97b293109248d881f0264962.jpg"
	}
}