{ "id": "8e53b1e8-3c39-475f-add5-2c5e2d6363dc", "created_at": "2026-04-06T00:14:03.297471Z", "updated_at": "2026-04-10T03:28:46.322075Z", "deleted_at": null, "sha1_hash": "a5aa35aec7588a16e674d6577167a08ca8a951c1", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48417, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 12:41:15 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CoreBot\n Tool: CoreBot\nNames CoreBot\nCategory Malware\nType Credential stealer\nDescription\n(IBM) CoreBot appears to be quite modular, which means that its structure and internal\nmakeup were programmed in a way that allows for the easy adding of new data theft and\nendpoint control mechanisms.\nCoreBot was discovered while the researchers were studying the activity of malware on\nTrusteer-protected enterprise endpoints. The malware’s compiled file was named “core”\nby its developer. Antivirus engines do not specify this malware’s name yet and detect it\nunder generic names such as Dynamer!ac or Eldorado. But while CoreBot may appear\nartless at first glance, without real-time theft capabilities, it is more interesting on the\ninside.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool CoreBot\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=91666db0-93e4-47ab-974f-277a3e19b707\nPage 1 of 2\n\nOther groups\r\n  Boson Spider [Unknown] 2015-Nov 2017  \r\n1 group listed (0 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=91666db0-93e4-47ab-974f-277a3e19b707\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=91666db0-93e4-47ab-974f-277a3e19b707\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=91666db0-93e4-47ab-974f-277a3e19b707" ], "report_names": [ "listgroups.cgi?u=91666db0-93e4-47ab-974f-277a3e19b707" ], "threat_actors": [ { "id": "ab35254c-b3f8-4b45-9413-01591ba7b5f4", "created_at": "2023-01-06T13:46:39.231425Z", "updated_at": "2026-04-10T02:00:03.253352Z", "deleted_at": null, "main_name": "BOSON SPIDER", "aliases": [], "source_name": "MISPGALAXY:BOSON SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a95ead6e-d506-4929-a0dd-1a7afb19b84e", "created_at": "2022-10-25T16:07:24.461901Z", "updated_at": "2026-04-10T02:00:04.999569Z", "deleted_at": null, "main_name": "Boson Spider", "aliases": [], "source_name": "ETDA:Boson Spider", "tools": [ "CoreBot" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434443, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a5aa35aec7588a16e674d6577167a08ca8a951c1.pdf", "text": "https://archive.orkl.eu/a5aa35aec7588a16e674d6577167a08ca8a951c1.txt", "img": "https://archive.orkl.eu/a5aa35aec7588a16e674d6577167a08ca8a951c1.jpg" } }