{
	"id": "092bd511-952a-4957-bd4e-3f8d23ab90e2",
	"created_at": "2026-04-06T00:21:44.380821Z",
	"updated_at": "2026-04-10T03:36:36.809026Z",
	"deleted_at": null,
	"sha1_hash": "a18ecb1bd3aae83ab6fb716a005510ef5df24a01",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49853,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:40:34 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Jaff\r\n Tool: Jaff\r\nNames\r\nJaff\r\nRakhni\r\nCategory Malware\r\nType Ransomware\r\nDescription\r\n(Fortinet) Like many ransomware variants, Jaff ransomware commonly arrives as a pdf\r\nattachment. Once you open the attachment, it displays a one-line document along with a\r\npop-up message asking whether you want to open an embedded.\r\nAfter downloading the binary file, Jaff ransomware starts decrypting part of the malware\r\ncode. It uses a simple code redirection routine as an anti-analysis trick to stretch the time\r\nit requires to analyze the actual malicious code. In between code execution, it uses\r\ngarbage code that is not relevant to the malware execution.\r\nInformation\r\n\u003chttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\u003e\r\n\u003chttp://malware-traffic-analysis.net/2017/05/16/index.html\u003e\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart\u003e\r\n\u003chttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.jaff\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:jaff\u003e\r\nPlaybook \u003chttps://www.nomoreransom.org/uploads/RakhniDecryptor_how-to_guide.pdf\u003e\r\nLast change to this tool card: 25 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Jaff\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e7db440-de10-4fa9-89f2-60aba7351ac4\r\nPage 1 of 2\n\nAPT groups\r\n  TA505, Graceful Spider, Gold Evergreen 2006-Nov 2022\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e7db440-de10-4fa9-89f2-60aba7351ac4\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e7db440-de10-4fa9-89f2-60aba7351ac4\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e7db440-de10-4fa9-89f2-60aba7351ac4"
	],
	"report_names": [
		"listgroups.cgi?u=7e7db440-de10-4fa9-89f2-60aba7351ac4"
	],
	"threat_actors": [
		{
			"id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5",
			"created_at": "2022-10-25T16:47:55.740817Z",
			"updated_at": "2026-04-10T02:00:03.678203Z",
			"deleted_at": null,
			"main_name": "GOLD EVERGREEN",
			"aliases": [
				"The Business Club"
			],
			"source_name": "Secureworks:GOLD EVERGREEN",
			"tools": [
				"CryptoLocker",
				"JabberZeus",
				"Pony",
				"Zeus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "8ada819f-dec0-4de4-97eb-0a8aff899c56",
			"created_at": "2023-01-06T13:46:39.225531Z",
			"updated_at": "2026-04-10T02:00:03.251546Z",
			"deleted_at": null,
			"main_name": "GOLD EVERGREEN",
			"aliases": [],
			"source_name": "MISPGALAXY:GOLD EVERGREEN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434904,
	"ts_updated_at": 1775792196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a18ecb1bd3aae83ab6fb716a005510ef5df24a01.pdf",
		"text": "https://archive.orkl.eu/a18ecb1bd3aae83ab6fb716a005510ef5df24a01.txt",
		"img": "https://archive.orkl.eu/a18ecb1bd3aae83ab6fb716a005510ef5df24a01.jpg"
	}
}