{
	"id": "6405820c-47cd-4b0b-ae87-e3c1e095ad6a",
	"created_at": "2026-04-06T00:06:14.867083Z",
	"updated_at": "2026-04-10T13:12:29.27792Z",
	"deleted_at": null,
	"sha1_hash": "9a7a94f8e62aa94da393f16f90d6724bb9f953ac",
	"title": "Lunar Spider - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47035,
	"plain_text": "Lunar Spider - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:52:57 UTC\n Other threat group: Lunar Spider\nNames\nLunar Spider (CrowdStrike)\nGold SwathMore (SecureWorks)\nCountry Russia\nMotivation Financial crime\nFirst seen 2019\nDescription\nLunar Spider is reportedly associated with Wizard Spider, Gold Blackburn.\n(CrowdStrike) On March 17, 2019, CrowdStrike Intelligence observed the use of a new\nBokBot (developed and operated by Lunar Spider) proxy module in conjunction with TrickBot\n(developed and operated by Wizard Spider), which may provide Wizard Spider with additional\ntools to steal sensitive information and conduct fraudulent wire transfers. This activity also\nprovides further evidence to support the existence of a flourishing relationship between these\ntwo actors.\nBokBot has been observed to be distributed via Emotet (operated by Mummy Spider, TA542)\nand Smoke Loader (operated by Smoky Spider).\nBokBot itself has been observed to distribute TrickBot (Wizard Spider, Gold Blackburn) and\nTinyLoader (Tiny Spider).\nObserved\nSectors: Financial.\nCountries: Worldwide.\nTools used BokBot, Vawtrak.\nInformation\nLast change to this card: 07 January 2021\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=66489195-9057-41a3-bf53-82aa6106833a\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=66489195-9057-41a3-bf53-82aa6106833a\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=66489195-9057-41a3-bf53-82aa6106833a\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=66489195-9057-41a3-bf53-82aa6106833a"
	],
	"report_names": [
		"showcard.cgi?u=66489195-9057-41a3-bf53-82aa6106833a"
	],
	"threat_actors": [
		{
			"id": "539855ac-def3-46a0-a490-f33abde7976f",
			"created_at": "2025-08-07T02:03:24.802704Z",
			"updated_at": "2026-04-10T02:00:03.718613Z",
			"deleted_at": null,
			"main_name": "GOLD ANDREW",
			"aliases": [
				"Smoky Spider "
			],
			"source_name": "Secureworks:GOLD ANDREW",
			"tools": [
				"Smoke Loader"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e8e18067-f64b-4e54-9493-6d450b7d40df",
			"created_at": "2022-10-25T16:07:24.515213Z",
			"updated_at": "2026-04-10T02:00:05.018868Z",
			"deleted_at": null,
			"main_name": "Mummy Spider",
			"aliases": [
				"ATK 104",
				"Gold Crestwood",
				"Mummy Spider",
				"TA542"
			],
			"source_name": "ETDA:Mummy Spider",
			"tools": [
				"Emotet",
				"Geodo",
				"Heodo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "058823d4-60c2-42ab-a3aa-4c10f0ff37c9",
			"created_at": "2022-10-25T16:07:24.57064Z",
			"updated_at": "2026-04-10T02:00:05.036609Z",
			"deleted_at": null,
			"main_name": "Smoky Spider",
			"aliases": [],
			"source_name": "ETDA:Smoky Spider",
			"tools": [
				"Dofoil",
				"Oficla",
				"Sasfis",
				"Sharik",
				"Smoke Loader",
				"SmokeLoader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9",
			"created_at": "2023-01-06T13:46:38.916521Z",
			"updated_at": "2026-04-10T02:00:03.144667Z",
			"deleted_at": null,
			"main_name": "LUNAR SPIDER",
			"aliases": [
				"GOLD SWATHMORE"
			],
			"source_name": "MISPGALAXY:LUNAR SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "168848e1-54f8-43ba-b3f1-650be9b08081",
			"created_at": "2023-01-06T13:46:38.913608Z",
			"updated_at": "2026-04-10T02:00:03.143639Z",
			"deleted_at": null,
			"main_name": "TINY SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:TINY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40",
			"created_at": "2023-01-06T13:46:38.870883Z",
			"updated_at": "2026-04-10T02:00:03.128317Z",
			"deleted_at": null,
			"main_name": "MUMMY SPIDER",
			"aliases": [
				"TA542",
				"GOLD CRESTWOOD"
			],
			"source_name": "MISPGALAXY:MUMMY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "fdf30f70-537c-458d-82b2-54b4f09cea48",
			"created_at": "2023-01-06T13:46:39.119613Z",
			"updated_at": "2026-04-10T02:00:03.221272Z",
			"deleted_at": null,
			"main_name": "SMOKY SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:SMOKY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f6f91e1c-9202-4497-bf22-9cd5ef477600",
			"created_at": "2023-01-06T13:46:38.86765Z",
			"updated_at": "2026-04-10T02:00:03.12735Z",
			"deleted_at": null,
			"main_name": "WIZARD SPIDER",
			"aliases": [
				"TEMP.MixMaster",
				"GOLD BLACKBURN",
				"DEV-0193",
				"UNC2053",
				"Pistachio Tempest",
				"DEV-0237",
				"Storm-0230",
				"FIN12",
				"Periwinkle Tempest",
				"Storm-0193",
				"Trickbot LLC"
			],
			"source_name": "MISPGALAXY:WIZARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e",
			"created_at": "2024-06-04T02:03:07.799286Z",
			"updated_at": "2026-04-10T02:00:03.606456Z",
			"deleted_at": null,
			"main_name": "GOLD BLACKBURN",
			"aliases": [
				"ITG23 ",
				"Periwinkle Tempest ",
				"Wizard Spider "
			],
			"source_name": "Secureworks:GOLD BLACKBURN",
			"tools": [
				"BazarLoader",
				"Buer Loader",
				"Bumblebee",
				"Dyre",
				"Team9",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f",
			"created_at": "2024-06-19T02:03:08.122318Z",
			"updated_at": "2026-04-10T02:00:03.652418Z",
			"deleted_at": null,
			"main_name": "GOLD SWATHMORE",
			"aliases": [
				"Lunar Spider "
			],
			"source_name": "Secureworks:GOLD SWATHMORE",
			"tools": [
				"Cobalt Strike",
				"GlobeImposter",
				"Gozi",
				"Gozi Trojan",
				"IcedID",
				"Latrodectus",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ab0b3abd-7947-4a56-a03a-a3fd1009d89f",
			"created_at": "2022-10-25T16:07:24.326862Z",
			"updated_at": "2026-04-10T02:00:04.93806Z",
			"deleted_at": null,
			"main_name": "Tiny Spider",
			"aliases": [],
			"source_name": "ETDA:Tiny Spider",
			"tools": [
				"PinkKite",
				"PsExec",
				"TinyLoader",
				"TinyPOS"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "475ea823-9e47-4098-b235-0900bc1a5362",
			"created_at": "2022-10-25T16:07:24.506596Z",
			"updated_at": "2026-04-10T02:00:05.015497Z",
			"deleted_at": null,
			"main_name": "Lunar Spider",
			"aliases": [
				"Gold SwathMore"
			],
			"source_name": "ETDA:Lunar Spider",
			"tools": [
				"BokBot",
				"IceID",
				"IcedID",
				"NeverQuest",
				"Vawtrak",
				"grabnew"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9",
			"created_at": "2024-06-19T02:03:08.024653Z",
			"updated_at": "2026-04-10T02:00:03.672512Z",
			"deleted_at": null,
			"main_name": "GOLD CRESTWOOD",
			"aliases": [
				"Mummy Spider ",
				"TA542 "
			],
			"source_name": "Secureworks:GOLD CRESTWOOD",
			"tools": [
				"Emotet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3",
			"created_at": "2022-10-25T16:07:24.422115Z",
			"updated_at": "2026-04-10T02:00:04.983298Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"DEV-0193",
				"G0102",
				"Gold Blackburn",
				"Gold Ulrick",
				"Grim Spider",
				"ITG23",
				"Operation BazaFlix",
				"Periwinkle Tempest",
				"Storm-0230",
				"TEMP.MixMaster",
				"Wizard Spider"
			],
			"source_name": "ETDA:Wizard Spider",
			"tools": [
				"AdFind",
				"Agentemis",
				"Anchor_DNS",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"Conti",
				"Diavol",
				"Dyranges",
				"Dyre",
				"Dyreza",
				"Dyzap",
				"Gophe",
				"Invoke-SMBAutoBrute",
				"KEGTAP",
				"LaZagne",
				"LightBot",
				"PowerSploit",
				"PowerTrick",
				"PsExec",
				"Ryuk",
				"SessionGopher",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"TrickMo",
				"Upatre",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433974,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a7a94f8e62aa94da393f16f90d6724bb9f953ac.pdf",
		"text": "https://archive.orkl.eu/9a7a94f8e62aa94da393f16f90d6724bb9f953ac.txt",
		"img": "https://archive.orkl.eu/9a7a94f8e62aa94da393f16f90d6724bb9f953ac.jpg"
	}
}