{ "id": "01cee5b5-db35-4663-96b5-5c29f14aaf4c", "created_at": "2026-04-06T00:09:06.153524Z", "updated_at": "2026-04-10T13:12:44.278729Z", "deleted_at": null, "sha1_hash": "aa68bd3c08c558bf58783fb69c4bbb648320959e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47124, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:58:14 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CredRaptor\n Tool: CredRaptor\nNames CredRaptor\nCategory Malware\nType Credential stealer\nDescription\n(ESET) After successful compromise of the network, attackers use various malicious tools\nin order to collect passwords, allowing them to subsequently perform a lateral movement\nwithin the compromised LAN.\nA string, that contains a PDB-path to debug symbols, suggests one such tool was named\nCredRaptor by the attackers. This tool collects saved passwords from various browsers\nsuch as Google Chrome, Internet Explorer, Mozilla Firefox, and Opera.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool CredRaptor\nChanged Name Country Observed\nAPT groups\n TeleBots 2015-Oct 2020\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c076facc-c733-4ff3-8a62-450dd426fcea\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c076facc-c733-4ff3-8a62-450dd426fcea\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c076facc-c733-4ff3-8a62-450dd426fcea\r\nPage 2 of 2\n\nAPT groups TeleBots 2015-Oct 2020 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c076facc-c733-4ff3-8a62-450dd426fcea" ], "report_names": [ "listgroups.cgi?u=c076facc-c733-4ff3-8a62-450dd426fcea" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434146, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa68bd3c08c558bf58783fb69c4bbb648320959e.pdf", "text": "https://archive.orkl.eu/aa68bd3c08c558bf58783fb69c4bbb648320959e.txt", "img": "https://archive.orkl.eu/aa68bd3c08c558bf58783fb69c4bbb648320959e.jpg" } }