{
	"id": "ddbf77e0-7968-493e-aad1-3ffb0a17f5e3",
	"created_at": "2026-04-06T00:22:19.914061Z",
	"updated_at": "2026-04-10T03:25:02.795781Z",
	"deleted_at": null,
	"sha1_hash": "a05f0814b254cad2ae1cfed35158911b93aabf90",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41690,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 12:50:07 UTC\r\n APT group: TA555\r\nNames TA555 (Proofpoint)\r\nCountry [Unknown]\r\nMotivation Financial crime\r\nFirst seen 2018\r\nDescription\r\n(Proofpoint) Beginning in May 2018, Proofpoint researchers observed a previously\r\nundocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns. The\r\ncampaigns appear to primarily target hotels, restaurants, and telecommunications, and are\r\ndistributed by an actor we track as TA555. To date, we have observed AdvisorsBot used as a\r\nfirst-stage payload, loading a fingerprinting module that, as with Marap, is presumably used to\r\nidentify targets of interest to further infect with additional modules or payloads. AdvisorsBot is\r\nunder active development and we have also observed another version of the malware\r\ncompletely rewritten in PowerShell and .NET.\r\nObserved Sectors: Hospitality, Telecommunications.\r\nTools used AdvisorsBot, PoshAdvisor.\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\u003e\r\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bf6a3eb5-da87-482a-87da-d50a301953ee\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bf6a3eb5-da87-482a-87da-d50a301953ee\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bf6a3eb5-da87-482a-87da-d50a301953ee"
	],
	"report_names": [
		"showcard.cgi?u=bf6a3eb5-da87-482a-87da-d50a301953ee"
	],
	"threat_actors": [
		{
			"id": "e9fcfe14-b91b-4f1d-a6f6-2de8a6dbca17",
			"created_at": "2022-10-25T16:07:24.287989Z",
			"updated_at": "2026-04-10T02:00:04.923791Z",
			"deleted_at": null,
			"main_name": "TA555",
			"aliases": [],
			"source_name": "ETDA:TA555",
			"tools": [
				"AdvisorsBot",
				"PoshAdvisor"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "47524f3c-731b-4af2-a9df-67c96c734392",
			"created_at": "2023-01-06T13:46:39.319424Z",
			"updated_at": "2026-04-10T02:00:03.286323Z",
			"deleted_at": null,
			"main_name": "TA555",
			"aliases": [],
			"source_name": "MISPGALAXY:TA555",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434939,
	"ts_updated_at": 1775791502,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a05f0814b254cad2ae1cfed35158911b93aabf90.pdf",
		"text": "https://archive.orkl.eu/a05f0814b254cad2ae1cfed35158911b93aabf90.txt",
		"img": "https://archive.orkl.eu/a05f0814b254cad2ae1cfed35158911b93aabf90.jpg"
	}
}