{ "id": "b4d80da2-6439-4b59-b500-330859b457bc", "created_at": "2026-04-06T00:06:36.049108Z", "updated_at": "2026-04-10T13:11:23.676877Z", "deleted_at": null, "sha1_hash": "9b975c21f6357c25da554a9179c75f845446e37c", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54999, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:02:43 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool LockerGoga\r\n Tool: LockerGoga\r\nNames LockerGoga\r\nCategory Malware\r\nType Ransomware, Big Game Hunting\r\nDescription\r\n(Fortinet) The binary for this particular variant of LockerGoga does not utilize any type\r\nof security evasion or obfuscation. Instead, the binary only goes as far as encoding the\r\nRSA public key that is used in its later stages for file encryption. It’s possible to\r\nspeculate that the attackers may have already been fully aware of the target companies’\r\nsecurity measures, and were therefore confident that their malware would not be\r\nintercepted even without any obfuscation.\r\nAnother interesting fact is that the malware uses open-source Boost libraries for its\r\nfilesystem, and inter-process communication and Crypto++ (Cryptopp) for file\r\nencryption. One of the advantages of using these libraries is easier development and\r\nimplementation since developers only need to work with wrapper functions instead of\r\ncalling individual native APIs to achieve the same goal. And since this utilizes a higher\r\nlevel of programming, statically and dynamically analysing the application without\r\nsource code is more complicated than just reading a straight sequence of Windows APIs.\r\nHowever, since they do not use standard libraries, they need to be manually linked and\r\nthe functions need to be physically added to the final binary, which results a larger file\r\nsize than usual.\r\nInformation \u003chttps://www.fortinet.com/blog/threat-research/lockergoga-ransomeware-targeting-critical-infrastructure.html\u003e\r\n\u003chttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware\u003e\r\n\u003chttps://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-\r\nintrusion.html\u003e\r\n\u003chttps://www.abuse.io/lockergoga.txt\u003e\r\n\u003chttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\u003e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8cdd2a40-7ddd-4caf-b7d0-94af5984a979\r\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia AlienVault OTX Playbook\nLast change to this tool card: 18 November 2022\nDownload this tool card in JSON format\nAll groups using tool LockerGoga\nChanged Name Country Observed\nAPT groups\n FIN6, Skeleton Spider [Unknown] 2015-Oct 2021\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8cdd2a40-7ddd-4caf-b7d0-94af5984a979\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8cdd2a40-7ddd-4caf-b7d0-94af5984a979\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8cdd2a40-7ddd-4caf-b7d0-94af5984a979" ], "report_names": [ "listgroups.cgi?u=8cdd2a40-7ddd-4caf-b7d0-94af5984a979" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433996, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b975c21f6357c25da554a9179c75f845446e37c.pdf", "text": "https://archive.orkl.eu/9b975c21f6357c25da554a9179c75f845446e37c.txt", "img": "https://archive.orkl.eu/9b975c21f6357c25da554a9179c75f845446e37c.jpg" } }