{ "id": "3e9f4677-e259-4927-ad4d-4ef5691e42f4", "created_at": "2026-04-06T00:13:56.929677Z", "updated_at": "2026-04-10T03:37:23.904676Z", "deleted_at": null, "sha1_hash": "abc54460004a49c54ebfb61d259bf3739c3168b7", "title": "Wizard Spider, Gold Blackburn - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 162926, "plain_text": "Wizard Spider, Gold Blackburn - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-02 10:43:21 UTC\nHome \u003e List all groups \u003e Wizard Spider, Gold Blackburn\n APT group: Wizard Spider, Gold Blackburn\nNames\nWizard Spider (CrowdStrike)\nGrim Spider (CrowdStrike)\nTEMP.MixMaster (FireEye)\nGold Blackburn (SecureWorks)\nGold Ulrick (SecureWorks)\nITG23 (IBM)\nDEV-0193 (Microsoft)\nStorm-0230 (Microsoft)\nPeriwinkle Tempest (Microsoft)\nG0102 (MITRE)\nCountry Russia\nMotivation Financial crime, Financial gain\nFirst seen 2014\nDescription\nWizard Spider is reportedly associated with Lunar Spider.\n(Crowdstrike) The Wizard Spider threat group is the Russia-based operator of the TrickBot banking malware. This\nrepresents a growing criminal enterprise of which Grim Spider appears to be a subset. The Lunar Spider threat gro\nEastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID),\nfirst observed in April 2017. The BokBot malware provides Lunar Spider affiliates with a variety of capabilities to\ncredential theft and wire fraud, through the use of webinjects and a malware distribution function.\nDyre has been observed to be distributed by Cutwail (operated by Narwhal Spider), as well as their own botnets G\nUpatre.\nTrickBot has been observed to be distributed via Emotet (operated by Mummy Spider, TA542), BokBot (operated\nSpider), Smoke Loader (operated by Smoky Spider), DanaBot (operated by Scully Spider, TA547), Kelihos (opera\nZombie Spider), Necurs (operated by Monty Spider) and Taurus Loader (operated by Venom Spider, Golden Chic\nwell as their own botnet Gophe.\nObserved\nSectors: Defense, Financial, Government, Healthcare, Telecommunications.\nCountries: Worldwide.\nTools used\nAdFind, Anchor, BazarBackdoor, BloodHound, Cobalt Strike, Conti, Diavol, Dyre, Gophe, Invoke-SMBAutoBrut\nLaZagne, LightBot, PowerSploit, PowerTrick, PsExec, Ryuk, SessionGopher, TrickBot, TrickMo, Upatre.\nOperations performed\nApr 2019\nCybercriminals Spoof Major Accounting and Payroll Firms in Tax Season Malware Campaigns\nJun 2019\nDuring June and July, F5 researchers first noticed Trickbot campaigns aimed at a smaller set of geog\noriented targets and did not use redirection attacks—a divergence from previous Trickbot characteri\n\nAug 2019\nIn a recent analysis in our cybercrime research labs, we noticed changes in the deployment of the Tr\nTrojan. At the time, the change we observed only applied to infection attempts on Windows 10 64-b\noperating systems (OSs). In those cases, TrickBot ran the payload, but did not save its typical modul\nconfigurations to disk.\nOct 2019\nComputers at the DCH Regional Medical Center in Tuscaloosa, Fayette Medical Center and Northp\nMedical Center were infected with ransomware.\nOct 2019\nShipping giant Pitney Bowes hit by ransomware\nNov 2019\nLouisiana was hit by Ryuk, triggering another cyber-emergency\nDec 2019\nTrickBot Widens Infection Campaigns in Japan Ahead of Holiday Season\nDec 2019\nThe Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware \u0026 APT\nDec 2019\nThe cyberattack that took down public-access computers at Volusia County, Fla., libraries last month\nransomware that has elicited millions of dollars in ransom payments from governments and large bu\nDec 2019\nAn infection with the Ryuk ransomware took down a maritime facility for more than 30 hours; the U\nGuard said in a security bulletin it published before Christmas.\nJan 2020\nOn the heels of a Ryuk ransomware attack on the Tampa Bay Times, researchers reported a new vari\nRyuk stealer being aimed at government, financial and law enforcement targets.\nJan 2020\nElectronic Warfare Associates (EWA), a 40-year-old electronics company and a well-known US gov\ncontractor, has suffered a ransomware infection, ZDNet has learned.\nJan 2020\nTop-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor fo\nValue Targets\nFeb 2020\nRyuk Ransomware Campaign Targets Port Lavaca City Hall\nFeb 2020\nEMCOR Group, a US-based Fortune 500 company specialized in engineering and industrial constru\nservices, disclosed last month a ransomware incident that took down some of its IT systems.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=480940e0-47b0-4295-9067-c2500ccfdaec\nPage 2 of 8\n\nFeb 2020\nEpiq Global, an international e-discovery and managed services company, has taken its systems offl\nglobally after detecting unauthorized activity.\nMar 2020\nTrickbot campaign targets Coronavirus fears in Italy\nMar 2020\nEVRAZ, one of the world's largest steel manufacturers and mining operations, has been hit by ranso\nsource inside the company told ZDNet today.\nMar 2020\nThe City of Durham, North Carolina has shut down its network after suffering a cyberattack by the R\nRansomware this weekend.\nMar 2020\nNew Variant of TrickBot Being Spread by Word Document\nMar 2020\nNew TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in\nHong Kong\nMar 2020\nTrickBot Pushing a 2FA Bypass App to Bank Customers in Germany\nApr 2020\nTrickBot Campaigns Targeting Users via Department of Labor FMLA Spam\nApr 2020\nAs early as April 2020, TrickBot updated one of its propagation modules known as “mworm” to a n\nmodule called “nworm.” Infections caused through nworm leave no artifacts on an infected DC, and\ndisappear after a reboot or shutdown.\nJul 2020\nThe infamous TrickBot trojan has started to check the screen resolutions of victims to detect whethe\nmalware is running in a virtual machine.\nJul 2020\nLeading toy maker Mattel hit by ransomware\nAug 2020\nUniversity of Utah pays $457,000 to ransomware gang\nAug 2020\nConti (Ryuk) joins the ranks of ransomware gangs operating data leak sites\n\nSep 2020\nUS Court Hit by “Conti” Ransomware\nSep 2020\nUniversal Health Services (UHS), a Fortune 500 hospital and healthcare services provider, has repor\ndown systems at healthcare facilities around the US after a cyber-attack that hit its network during e\nSunday morning.\nOct 2020\nFrench IT giant Sopra Steria hit by Ryuk ransomware\nNov 2020\nOnline education giant K12 Inc. has paid a ransom after their systems were hit by Ryuk ransomware\nmiddle of November.\nJan 2021\nFatFace sends controversial data breach email after ransomware attack\nJan 2021\nScottish Environment Protection Agency refuses to pay ransomware crooks over 1.2GB of stolen da\nMar 2021\nRyuk ransomware hits 700 Spanish government labor agency offices\nMar 2021\nRansomware gang wanted $40 million in Florida schools cyberattack\nApr 2021\nBazarLoader deploys a pair of novel spam vectors\nMay 2021\nGreen Energy Company Volue Hit by Ransomware\nMay 2021\nConti ransomware also targeted Ireland's Department of Health\nMay 2021\nIreland’s Health Services hit with $20 million ransomware demand\nMay 2021\nNew Zealand hospitals infected by ransomware, cancel some surgeries\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=480940e0-47b0-4295-9067-c2500ccfdaec\nPage 4 of 8\n\nMay 2021\nOperation “BazaFlix”\nThe threat actor created a robust fake movie streaming service called BravoMovies, complete with f\ntitles as a landing page.\nJun 2021\nTulsa warns of data breach after Conti ransomware leaks police citations\nJun 2021\nDiavol - A New Ransomware Used By Wizard Spider?\nAug 2021\nConti ransomware prioritizes revenue and cyberinsurance data theft\nAug 2021\nNokia subsidiary discloses data breach after Conti ransomware attack\nSep 2021\nJVCKenwood hit by Conti ransomware claiming theft of 1.5TB data\nOct 2021\nConti gang threatens to dump victim data if ransom negotiations leak to reporters\nOct 2021\nConti Ransom Gang Starts Selling Access to Victims\nNov 2021\nCelebrity jewelry house Graff falls victim to ransomware\nNov 2021\nData breach impacts 80,000 South Australian govt employees [Frontier Software]\nNov 2021\nFrom Shathak Emails to the Conti Ransomware\nDec 2021\nNordic Choice Hotels hit by Conti ransomware, no ransom demand yet\nDec 2021\nConti and Karma actors attack healthcare provider at same time through ProxyShell exploits\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=480940e0-47b0-4295-9067-c2500ccfdaec\nPage 5 of 8\n\nDec 2021\nAustralian Electricity Provider 'CS Energy' Hit by Ransomware\nDec 2021\nMcMenamins breweries hit by a Conti ransomware attack\nDec 2021\nShutterfly services disrupted by Conti ransomware attack\nDec 2021\nRR Donnelly has confirmed that threat actors stole data in a December cyberattack, confirmed by\nBleepingComputer to be a Conti ransomware attack.\nDec 2021\nIndonesia's central bank confirms ransomware attack, Conti leaks data\nJan 2022\nThe Conti ransomware gang has been linked to an attack on Delta Electronics, a Taiwanese electron\nmanufacturing company and a major supplier of power components to companies like Apple and Te\nJan 2022\nKP Snacks giant hit by Conti ransomware, deliveries disrupted\nFeb 2022\nA Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies\nFeb 2022\nThe TrickBot Saga’s Finale Has Aired: Spinoff is Already in the Works\nFeb 2022\nTrickbot Group’s AnchorDNS Backdoor Upgrades to AnchorMail\nMar 2022\nRansomware gang Conti has already bounced back from damage caused by chat leaks, experts say\nMar 2022\nShutterfly discloses data breach after Conti ransomware attack\nMar 2022\nRansomware Gang Leaks Files Stolen From Industrial Giant Parker Hannifin\nApr 2022 The Parker-Hannifin Corporation announced a data breach exposing employees' personal informatio\nConti ransomware gang began publishing allegedly stolen data last month.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=480940e0-47b0-4295-9067-c2500ccfdaec\nPage 6 of 8\n\nApr 2022\nWind turbine firm Nordex hit by Conti ransomware attack\nApr 2022\nConti ransomware attack was aimed at destabilizing government transition, Costa Rican president sa\nApr 2022\nUnprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine\nMay 2022\nConti ransomware claims to have hacked Peru MOF – Dirección General de Inteligencia (DIGIMIN\nJun 2022\nConti ransomware group’s pulse stops, but did it fake its own death?\nCounter operations\nNov 2015\nRussia’s FSB quietly led an operation to take down the world’s most active cybercriminal groups, th\noperators of the banking malware Dyre\nOct 2020\nWe disrupted Trickbot through a court order we obtained as well as technical action we executed in\npartnership with telecommunications providers around the world. We have now cut off key infrastru\nthose operating Trickbot will no longer be able to initiate new infections or activate ransomware alre\ndropped into computer systems.\nSep 2021\nIrish police seize Conti domains used in HSE ransomware attack\nOct 2021\nTrickBot malware dev extradited to U.S. faces 60 years in prison\nFeb 2022 Conti ransomware gang chats leaked by pro-Ukraine member\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=480940e0-47b0-4295-9067-c2500ccfdaec\nPage 7 of 8\n\nMar 2022\nExposing initial access broker with ties to Conti\nMar 2022\nMore Conti ransomware source code leaked on Twitter out of revenge\nMay 2022\nReward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice\nFeb 2023\nRussian man pleads guilty to laundering Ryuk ransomware money\nSep 2023\nUnited States and United Kingdom Sanction Additional Members of the Russia-Based Trickbot Cyb\nGang\nDec 2023\nTrickBot malware dev pleads guilty, faces 35 years in prison\nMay 2025\nGermany doxxes Conti ransomware and TrickBot ring leader\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=480940e0-47b0-4295-9067-c2500ccfdaec\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=480940e0-47b0-4295-9067-c2500ccfdaec\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=480940e0-47b0-4295-9067-c2500ccfdaec" ], "report_names": [ "showcard.cgi?u=480940e0-47b0-4295-9067-c2500ccfdaec" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "539855ac-def3-46a0-a490-f33abde7976f", "created_at": "2025-08-07T02:03:24.802704Z", "updated_at": "2026-04-10T02:00:03.718613Z", "deleted_at": null, "main_name": "GOLD ANDREW", "aliases": [ "Smoky Spider " ], "source_name": "Secureworks:GOLD ANDREW", "tools": [ "Smoke Loader" ], "source_id": "Secureworks", "reports": null }, { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "748eb9f3-ef15-4645-881b-b91681111812", "created_at": "2022-10-25T16:07:24.510024Z", "updated_at": "2026-04-10T02:00:05.016515Z", "deleted_at": null, "main_name": "Monty Spider", "aliases": [ "Gold Riverview" ], "source_name": "ETDA:Monty Spider", "tools": [ "Necurs", "nucurs" ], "source_id": "ETDA", "reports": null }, { "id": "058823d4-60c2-42ab-a3aa-4c10f0ff37c9", "created_at": "2022-10-25T16:07:24.57064Z", "updated_at": "2026-04-10T02:00:05.036609Z", "deleted_at": null, "main_name": "Smoky Spider", "aliases": [], "source_name": "ETDA:Smoky Spider", "tools": [ "Dofoil", "Oficla", "Sasfis", "Sharik", "Smoke Loader", "SmokeLoader" ], "source_id": "ETDA", "reports": null }, { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fdf30f70-537c-458d-82b2-54b4f09cea48", "created_at": "2023-01-06T13:46:39.119613Z", "updated_at": "2026-04-10T02:00:03.221272Z", "deleted_at": null, "main_name": "SMOKY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SMOKY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e312df00-4c6f-44c3-b717-4b72800c7697", "created_at": "2023-01-06T13:46:39.03345Z", "updated_at": "2026-04-10T02:00:03.190159Z", "deleted_at": null, "main_name": "ZOMBIE SPIDER", "aliases": [], "source_name": "MISPGALAXY:ZOMBIE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "cc045f52-bbdb-4fcc-8fbf-a0d8a7c5e64f", "created_at": "2022-10-25T16:07:24.519535Z", "updated_at": "2026-04-10T02:00:05.019918Z", "deleted_at": null, "main_name": "Narwhal Spider", "aliases": [ "Gold Essex", "Storm-0302" ], "source_name": "ETDA:Narwhal Spider", "tools": [ "Cutwail", "Pushdo" ], "source_id": "ETDA", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "b3070c7b-c1e8-462c-94f1-62a0d2bdbc67", "created_at": "2023-01-06T13:46:39.116254Z", "updated_at": "2026-04-10T02:00:03.218594Z", "deleted_at": null, "main_name": "SCULLY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SCULLY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c3ca3f2-9a6a-463e-869c-e9bf02d398d7", "created_at": "2022-10-25T16:07:24.59432Z", "updated_at": "2026-04-10T02:00:05.047762Z", "deleted_at": null, "main_name": "Zombie Spider", "aliases": [], "source_name": "ETDA:Zombie Spider", "tools": [ "Hlux", "Kelihos", "Waledac" ], "source_id": "ETDA", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a15363f3-ec73-4a94-a94c-60ffb4925a40", "created_at": "2023-01-06T13:46:39.10693Z", "updated_at": "2026-04-10T02:00:03.215548Z", "deleted_at": null, "main_name": "MONTY SPIDER", "aliases": [ "Spandex Tempest" ], "source_name": "MISPGALAXY:MONTY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434436, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/abc54460004a49c54ebfb61d259bf3739c3168b7.pdf", "text": "https://archive.orkl.eu/abc54460004a49c54ebfb61d259bf3739c3168b7.txt", "img": "https://archive.orkl.eu/abc54460004a49c54ebfb61d259bf3739c3168b7.jpg" } }