{ "id": "14439961-5c8d-4999-ab05-86338243034a", "created_at": "2026-04-06T00:15:00.829735Z", "updated_at": "2026-04-10T03:36:00.147214Z", "deleted_at": null, "sha1_hash": "9b7c8b138ab2a106fc72fd3c6e614f014cb49450", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52897, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:12:29 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Godzilla\n Tool: Godzilla\nNames\nGodzilla\nGodzilla Loader\nCategory Malware\nType Downloader, Worm, Botnet\nDescription\n(Check Point) Enter Godzilla Loader, a malware being advertised on Dark Web forums, and\nbeing actively developed right now. Godzilla fills the “downloader” or “dropper” niche,\noffering a level of indirection such that the binary that first runs on the victim machine does\nnot contain any of the actual payload, and instead downloads the payload from a remote server.\nGodzilla is actively maintained, with new features being added periodically, and retails for\n$500, around a quarter of the asking price of its better-established competitor, Emotet.\nInformation Malpedia Last change to this tool card: 29 April 2020\nDownload this tool card in JSON format\nAll groups using tool Godzilla\nChanged Name Country Observed\nAPT groups\n Dalbit 2022\n Earth Alux 2023\n Operation Silent Skimmer [Unknown] 2022\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a6ed9045-cb03-4040-8b4a-97d7ed6fcd98\nPage 1 of 2\n\nOther groups\r\n  TA554 [Unknown] 2017  \r\n4 groups listed (3 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a6ed9045-cb03-4040-8b4a-97d7ed6fcd98\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a6ed9045-cb03-4040-8b4a-97d7ed6fcd98\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a6ed9045-cb03-4040-8b4a-97d7ed6fcd98" ], "report_names": [ "listgroups.cgi?u=a6ed9045-cb03-4040-8b4a-97d7ed6fcd98" ], "threat_actors": [ { "id": "2f964894-0020-457e-b4e7-65a8c8fe740c", "created_at": "2025-05-29T02:00:03.202897Z", "updated_at": "2026-04-10T02:00:03.858601Z", "deleted_at": null, "main_name": "Earth Alux", "aliases": [], "source_name": "MISPGALAXY:Earth Alux", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a3808e4f-c7fd-4d25-aa84-aacc27061826", "created_at": "2023-01-06T13:46:39.316216Z", "updated_at": "2026-04-10T02:00:03.285437Z", "deleted_at": null, "main_name": "TA554", "aliases": [ "TH-163" ], "source_name": "MISPGALAXY:TA554", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ad98b6a9-78aa-4375-81c2-55ce04626812", "created_at": "2023-10-14T02:03:14.382189Z", "updated_at": "2026-04-10T02:00:04.836992Z", "deleted_at": null, "main_name": "Operation Silent Skimmer", "aliases": [], "source_name": "ETDA:Operation Silent Skimmer", "tools": [ "Agentemis", "BadPotato", "Cobalt Strike", "CobaltStrike", "GodPotato", "Godzilla", "Godzilla Loader", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "PowerShell RAT", "SharpToken", "SweetPotato", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bcf899bb-34bb-43e1-929d-02bc91974f2a", "created_at": "2023-02-18T02:04:24.050644Z", "updated_at": "2026-04-10T02:00:04.639142Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "ETDA:Dalbit", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "AntSword", "BadPotato", "BlueShell", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "EFSPotato", "FRP", "Fast Reverse Proxy", "Godzilla", "Godzilla Loader", "HTran", "HUC Packet Transmit Tool", "JuicyPotato", "LadonGo", "Metasploit", "Mimikatz", "NPS", "ProcDump", "PsExec", "Remcom", "RemoteCommandExecution", "RottenPotato", "SinoChopper", "SweetPotato", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5", "created_at": "2023-11-08T02:00:07.176033Z", "updated_at": "2026-04-10T02:00:03.435082Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "MISPGALAXY:Dalbit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fdcb30ba-5fef-4ae2-97bd-f8200f4bd2e5", "created_at": "2025-04-22T02:01:52.35523Z", "updated_at": "2026-04-10T02:00:04.658231Z", "deleted_at": null, "main_name": "Earth Alux", "aliases": [], "source_name": "ETDA:Earth Alux", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Godzilla", "Godzilla Loader", "MASQLOADER", "RAILLOAD", "RAILSETTER", "RSBINJECT", "VARGEIT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9be98f84-4a93-41c7-90bd-3ea66ba5bfd7", "created_at": "2022-10-25T16:07:24.581954Z", "updated_at": "2026-04-10T02:00:05.040995Z", "deleted_at": null, "main_name": "TA554", "aliases": [ "TH-163" ], "source_name": "ETDA:TA554", "tools": [ "DarkVNC", "Godzilla", "Godzilla Loader", "Gootkit", "Gootloader", "Gozi ISFB", "ISFB", "LOLBAS", "LOLBins", "Living off the Land", "Nimnul", "Pandemyia", "PsiX", "PsiXBot", "Ramnit", "StarsLord", "Waldek", "Xswkit", "sLoad", "talalpek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434500, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b7c8b138ab2a106fc72fd3c6e614f014cb49450.pdf", "text": "https://archive.orkl.eu/9b7c8b138ab2a106fc72fd3c6e614f014cb49450.txt", "img": "https://archive.orkl.eu/9b7c8b138ab2a106fc72fd3c6e614f014cb49450.jpg" } }