{ "id": "be40994d-a2a7-4472-b93a-bc46b3965cc6", "created_at": "2026-04-06T00:13:19.28299Z", "updated_at": "2026-04-10T13:11:40.651813Z", "deleted_at": null, "sha1_hash": "96fa77652273261a6e63de53a14992c89a93a38c", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50650, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:21:32 UTC\r\n Other threat group: TA516\r\nNames\r\nTA516 (Proofpoint)\r\nSmokingDro (Proofpoint)\r\nCountry [Unknown]\r\nMotivation Financial crime, Financial gain\r\nFirst seen 2016\r\nDescription\r\n(Proofpoint) This actor typically distributes instances of the SmokeLoader\r\nintermediate downloader, which, in turn, downloads additional malware of the\r\nactor’s choice -- often banking Trojans. Figure 3 shows a lure document from a\r\nNovember campaign in which TA516 distributed fake resumes with malicious\r\nmacros that, if enabled, launch a PowerShell script that downloads SmokeLoader. In\r\nthis instance, we observed SmokeLoader downloading a Monero coinminer. Since\r\nthe middle of 2017, TA516 has used similar macro-laden documents as well as\r\nmalicious JavaScript hosted on Google Drive to distribute both Panda Banker and a\r\ncoinminer executable via SmokeLoader, often in the same campaigns.\r\nObserved Countries: Worldwide.\r\nTools used AZORult, Chthonic, Smoke Loader, Zeus Panda.\r\nOperations performed\r\nJul 2016\r\nThreat Actors Using Legitimate PayPal Accounts To Distribute\r\nChthonic Banking Trojan\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\u003e\r\nJul 2018\r\nNew version of AZORult stealer improves loading features, spreads\r\nalongside ransomware in new campaign\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside\u003e\r\nNov 2019 New AZORult campaign abuses popular VPN service to steal\r\ncryptocurrency\r\n\u003chttps://www.kaspersky.com/about/press-releases/2020_new-https://apt.etda.or.th/cgi-bin/showcard.cgi?u=24184e42-b04f-4878-8fd3-e53acf7526f2\r\nPage 1 of 2\n\nazorult-campaign-abuses-popular-vpn-service-to-steal-cryptocurrency\u003e\nFeb 2020\nAZORult Campaign Adopts Novel Triple-Encryption Technique\nFeb 2020\nAZORult spreads as a fake ProtonVPN installer\nInformation\nLast change to this card: 01 January 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=24184e42-b04f-4878-8fd3-e53acf7526f2\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=24184e42-b04f-4878-8fd3-e53acf7526f2\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=24184e42-b04f-4878-8fd3-e53acf7526f2" ], "report_names": [ "showcard.cgi?u=24184e42-b04f-4878-8fd3-e53acf7526f2" ], "threat_actors": [ { "id": "9b34a837-9f3f-4451-b8bf-adf424655df5", "created_at": "2023-01-06T13:46:39.310096Z", "updated_at": "2026-04-10T02:00:03.283332Z", "deleted_at": null, "main_name": "TA516", "aliases": [], "source_name": "MISPGALAXY:TA516", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aeda543e-ce27-41a9-9719-d6e2941b7dbf", "created_at": "2022-10-25T16:07:24.57632Z", "updated_at": "2026-04-10T02:00:05.038892Z", "deleted_at": null, "main_name": "TA516", "aliases": [ "SmokingDro" ], "source_name": "ETDA:TA516", "tools": [ "AZORult", "AndroKINS", "Chthonic", "Dofoil", "PandaBanker", "PuffStealer", "Rultazo", "Sharik", "Smoke Loader", "SmokeLoader", "Zeus Panda", "ZeusPanda" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434399, "ts_updated_at": 1775826700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/96fa77652273261a6e63de53a14992c89a93a38c.pdf", "text": "https://archive.orkl.eu/96fa77652273261a6e63de53a14992c89a93a38c.txt", "img": "https://archive.orkl.eu/96fa77652273261a6e63de53a14992c89a93a38c.jpg" } }