{
	"id": "7e590575-6938-43f4-ae50-76fb9bd048a8",
	"created_at": "2026-04-06T00:08:24.14455Z",
	"updated_at": "2026-04-10T13:12:29.048207Z",
	"deleted_at": null,
	"sha1_hash": "9f52755fecf73e05e64c82fa60b61539fc14ccc0",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49885,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:08:01 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DreamBot\r\n Tool: DreamBot\r\nNames DreamBot\r\nCategory Malware\r\nType Banking trojan, Info stealer, Credential stealer, Botnet\r\nDescription\r\n(Proofpoint) The Dreambot malware is still in active development and over the last few\r\nmonths we have seen multiple versions of it spreading in the wild. The Tor-enabled\r\nversion of Dreambot has been active since at least July 2016, when we first observed the\r\nmalware successfully download the Tor client and connect to the Tor network. Today,\r\nmany Dreambot samples include this functionality, but few use it as their primary mode\r\nof communication with their command and control (C\u0026C) infrastructure. However, in\r\nthe future this feature may be utilized much more frequently, creating additional\r\nproblems for defenders.\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\u003e\r\n\u003chttps://lokalhost.pl/gozi_tree.txt\u003e\r\nMITRE ATT\u0026CK \u003chttps://attack.mitre.org/software/S0386\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=DreamBot\u003e\r\nLast change to this tool card: 13 October 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool DreamBot\r\nChanged Name Country Observed\r\nUnknown groups\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f979f85d-68d3-44b5-a2b6-ef0774f7c717\r\nPage 1 of 2\n\n_[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f979f85d-68d3-44b5-a2b6-ef0774f7c717\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f979f85d-68d3-44b5-a2b6-ef0774f7c717\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f979f85d-68d3-44b5-a2b6-ef0774f7c717"
	],
	"report_names": [
		"listgroups.cgi?u=f979f85d-68d3-44b5-a2b6-ef0774f7c717"
	],
	"threat_actors": [],
	"ts_created_at": 1775434104,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f52755fecf73e05e64c82fa60b61539fc14ccc0.pdf",
		"text": "https://archive.orkl.eu/9f52755fecf73e05e64c82fa60b61539fc14ccc0.txt",
		"img": "https://archive.orkl.eu/9f52755fecf73e05e64c82fa60b61539fc14ccc0.jpg"
	}
}