{ "id": "f812ea4f-47c4-494e-b936-e09675c823ae", "created_at": "2026-04-06T00:21:36.598107Z", "updated_at": "2026-04-10T13:13:10.682063Z", "deleted_at": null, "sha1_hash": "ac875019769bc7483731f164887a731e27e4707f", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50092, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:47:19 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Chthonic\n Tool: Chthonic\nNames\nChthonic\nAndroKINS\nCategory Malware\nType Banking trojan\nDescription\n(Kaspersky) In the fall of 2014, we discovered a new banking Trojan, which caught our\nattention for two reasons:\n• First, it is interesting from the technical viewpoint, because it uses a new technique for\nloading modules.\n• Second, an analysis of its configuration files has shown that the malware targets a large\nnumber of online-banking systems: over 150 different banks and 20 payment systems in\n15 countries. Banks in the UK, Spain, the US, Russia, Japan and Italy make up the\nmajority of its potential targets.\nKaspersky Lab products detect the new banking malware as Trojan-Banker.Win32.Chthonic.\nThe Trojan is apparently an evolution of ZeusVM, although it has undergone a number of\nsignificant changes. Chthonic uses the same encryptor as Andromeda bots, the same\nencryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to\nthat used in ZeusVM and KINS malware.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 24 May 2020\nDownload this tool card in JSON format\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=56684ac2-715b-418e-a3e5-34af3ee7b408\nPage 1 of 2\n\nAll groups using tool Chthonic\r\nChanged Name Country Observed\r\nOther groups\r\n  Bamboo Spider, TA544 [Unknown] 2016-Apr 2022\r\n  TA516 [Unknown] 2016-Feb 2020  \r\n2 groups listed (0 APT, 2 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=56684ac2-715b-418e-a3e5-34af3ee7b408\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=56684ac2-715b-418e-a3e5-34af3ee7b408\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=56684ac2-715b-418e-a3e5-34af3ee7b408" ], "report_names": [ "listgroups.cgi?u=56684ac2-715b-418e-a3e5-34af3ee7b408" ], "threat_actors": [ { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a8107a-f669-41af-ba79-41b1cbdc4654", "created_at": "2023-01-06T13:46:39.228649Z", "updated_at": "2026-04-10T02:00:03.25247Z", "deleted_at": null, "main_name": "BAMBOO SPIDER", "aliases": [], "source_name": "MISPGALAXY:BAMBOO SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b34a837-9f3f-4451-b8bf-adf424655df5", "created_at": "2023-01-06T13:46:39.310096Z", "updated_at": "2026-04-10T02:00:03.283332Z", "deleted_at": null, "main_name": "TA516", "aliases": [], "source_name": "MISPGALAXY:TA516", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aeda543e-ce27-41a9-9719-d6e2941b7dbf", "created_at": "2022-10-25T16:07:24.57632Z", "updated_at": "2026-04-10T02:00:05.038892Z", "deleted_at": null, "main_name": "TA516", "aliases": [ "SmokingDro" ], "source_name": "ETDA:TA516", "tools": [ "AZORult", "AndroKINS", "Chthonic", "Dofoil", "PandaBanker", "PuffStealer", "Rultazo", "Sharik", "Smoke Loader", "SmokeLoader", "Zeus Panda", "ZeusPanda" ], "source_id": "ETDA", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434896, "ts_updated_at": 1775826790, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ac875019769bc7483731f164887a731e27e4707f.pdf", "text": "https://archive.orkl.eu/ac875019769bc7483731f164887a731e27e4707f.txt", "img": "https://archive.orkl.eu/ac875019769bc7483731f164887a731e27e4707f.jpg" } }