{
	"id": "68280431-f1db-46e0-9b37-b243ef67b6f0",
	"created_at": "2026-04-06T00:06:15.323818Z",
	"updated_at": "2026-04-10T13:11:43.132405Z",
	"deleted_at": null,
	"sha1_hash": "afbd2f89aacc88e31d2fb9d810c284070e57787d",
	"title": "TA2101, Maze Team - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 100656,
	"plain_text": "TA2101, Maze Team - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 13:47:31 UTC\r\nHome \u003e List all groups \u003e TA2101, Maze Team\r\n APT group: TA2101, Maze Team\r\nNames\r\nTA2101 (Proofpoint)\r\nMaze Team (self given)\r\nTwisted Spider (CrowdStrike)\r\nGold Village (SecureWorks)\r\nCountry [Unknown]\r\nMotivation Financial crime, Financial gain\r\nFirst seen 2019\r\nDescription\r\n(Proofpoint) Proofpoint researchers recently detected campaigns from a relatively\r\nnew actor, tracked internally as TA2101, targeting German companies and\r\norganizations to deliver and install backdoor malware.\r\nThe actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern,\r\nthe German Federal Ministry of Finance, with lookalike domains, verbiage, and\r\nstolen branding in the emails.\r\nProofpoint researchers have also observed this actor distributing Maze ransomware,\r\nemploying similar social engineering techniques to those it uses for Cobalt Strike,\r\nwhile also targeting organizations in Italy and impersonating the Agenzia Delle\r\nEntrate, the Italian Revenue Agency. We have also recently observed the actor\r\ntargeting organizations in the United States using the IcedID banking Trojan while\r\nimpersonating the United States Postal Service (USPS).\r\nObserved\r\nSectors: Construction, Education, Energy, Financial, Government, Healthcare,\r\nHospitality, IT, Manufacturing, Media, Non-profit organizations, Oil and gas, Retail,\r\nShipping and Logistics, Technology, Telecommunications, Transportation and Real\r\nestate.\r\nCountries: Canada, Costa Rica, France, Germany, Italy, South Korea, Thailand, UK,\r\nUSA.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=046da342-795f-491e-b6d1-b61cd6c1f2d9\r\nPage 1 of 6\n\nTools used\n7-Zip, BokBot, BloodHound, Buran, Cobalt Strike, Egregor, Maze, Mimikatz, nmap,\nPsExec, SharpHound, WinSCP.\nOperations performed\nNov 2019\nAllied Universal Breached by Maze Ransomware, Stolen Data Leaked\nDec 2019\nMaze Ransomware Demands $6 Million Ransom From Southwire\nJan 2020\nMaze ransomware operators have infected computers from Medical\nDiagnostic Laboratories (MDLab) and are releasing close to 9.5GB of\ndata stolen from infected machines.\nJan 2020\nMAZE Relaunches 'Name and Shame' Website\nFeb 2020\nBreaking the Ice: A Deep Dive Into the IcedID Banking Trojan’s New\nMajor Version Release\nMar 2020\nChubb Cyber Insurer Allegedly Hit By Maze Ransomware Attack\nMar 2020\nThe Maze ransomware group attacked the computer systems of\nHammersmith Medicines Research (HMR), publishing personal\ndetails of thousands of former patients after the company declined to\npay a ransom.\nApr 2020\nOn April 1st, 2020, Berkine became a victim of cyber-attack by the\nnotorious Maze ransomware group that is known for its unique\nblackmailing practices.\nApr 2020 Drug testing firm sends data breach alerts after ransomware attack\n\nsends-data-breach-alerts-after-ransomware-attack/\u003e\nApr 2020\nIT services giant Cognizant suffers Maze Ransomware cyber attack\nApr 2020\nThe Maze Ransomware gang breached and successfully encrypted the\nsystems of VT San Antonio Aerospace, as well as stole and leaked\nunencrypted files from the company's compromised devices\nApr 2020\nChipmaker MaxLinear reports data breach after Maze Ransomware\nattack\nMay 2020\nAccording to MAZE, egg producer and supplier Sparboe was cracked\ninto on May 1, 2020. As proof of the attack, the threat group has\nshared a zip file of data it claims was exfiltrated from Sparboe's\nsystems.\nMay 2020\nPackage delivery giant Pitney Bowes confirms second ransomware\nattack in 7 months\nMay 2020\nRansomware breach of Banco de Costa Rica\nJun 2020\nCyber extortionists have stolen sensitive data from a company which\nsupports the US Minuteman III nuclear deterrent.\nJun 2020\nThe Maze Ransomware operators are claiming to have successfully\nattacked business services giant Conduent, where they stole\nunencrypted files and encrypted devices on their network.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=046da342-795f-491e-b6d1-b61cd6c1f2d9\nPage 3 of 6\n\nJun 2020\nMAZE maintains that it has encrypted and exfiltrated data from New\nYork company Threadstone Advisors using ransomware.\nJun 2020\nLG Electronics allegedly hit by Maze ransomware attack\nJun 2020\nBusiness giant Xerox allegedly suffers Maze Ransomware attack\nJun 2020\nMaze Ransomware Operators Allegedly Targeted National Highways\nAuthority of India (NHAI)\nJul 2020\nCanon hit by Maze Ransomware attack, 10TB data allegedly stolen\nAug 2020\nThe Maze hacker gang claims it has infected computer memory maker\nSK hynix with ransomware and leaked some of the files it stole.\nAug 2020\nDuring the monitoring of deepweb and darkweb leaks, our researchers\ncame across the leak disclosure post in which the Maze ransomware\noperators allegedly breached Hoa Sen Group and claimed to be in\npossession of the company’s sensitive data.\nSep 2020\nFairfax County schools hit by Maze ransomware, student data leaked\nOct 2020\nMaze ransomware is shutting down its cybercrime operation\nOct 2020\nUbisoft, Crytek data posted on ransomware gang's site\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=046da342-795f-491e-b6d1-b61cd6c1f2d9\nPage 4 of 6\n\nOct 2020\nEgregor Claims Responsibility for Barnes \u0026 Noble Attack, Leaks Data\nNov 2020\n350,000 items of personal data compromised in Capcom hack\nNov 2020\nRetail giant Cencosud hit by Egregor Ransomware attack, stores\nimpacted\nDec 2020\nKmart nationwide retailer suffers a ransomware attack\nDec 2020\nEgregor Ransomware attacked HR Giant Randstad\nFeb 2021\nFrench Hospital Hit with Egregor Ransomware\nFeb 2021\nEgregor Ransomware Adopting New Techniques\nFeb 2022\nThe master decryption keys for the Maze, Egregor, and Sekhmet\nransomware operations were released last night on the\nBleepingComputer forums by the alleged malware developer.\nCounter operations\nMar 2021\nAlleged Members of Egregor Ransomware Cartel Arrested\nFeb 2024\nZeus, IcedID malware gangs leader pleads guilty, faces 40 years in\nprison\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=046da342-795f-491e-b6d1-b61cd6c1f2d9\nPage 5 of 6\n\n\u003chttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\u003e\r\nLast change to this card: 07 March 2024\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=046da342-795f-491e-b6d1-b61cd6c1f2d9\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=046da342-795f-491e-b6d1-b61cd6c1f2d9\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=046da342-795f-491e-b6d1-b61cd6c1f2d9"
	],
	"report_names": [
		"showcard.cgi?u=046da342-795f-491e-b6d1-b61cd6c1f2d9"
	],
	"threat_actors": [
		{
			"id": "20e4919f-4dd4-4464-932a-354ffa8038ee",
			"created_at": "2025-08-07T02:03:25.024225Z",
			"updated_at": "2026-04-10T02:00:03.673649Z",
			"deleted_at": null,
			"main_name": "GOLD VILLAGE",
			"aliases": [
				""
			],
			"source_name": "Secureworks:GOLD VILLAGE",
			"tools": [
				"Maze"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e9f85280-337c-4321-b872-0919f8ef64a6",
			"created_at": "2022-10-25T16:07:24.261761Z",
			"updated_at": "2026-04-10T02:00:04.914455Z",
			"deleted_at": null,
			"main_name": "TA2101",
			"aliases": [
				"Gold Village",
				"Maze Team",
				"TA2101",
				"Twisted Spider"
			],
			"source_name": "ETDA:TA2101",
			"tools": [
				"7-Zip",
				"Agentemis",
				"BokBot",
				"Buran",
				"ChaCha",
				"Cobalt Strike",
				"CobaltStrike",
				"Egregor",
				"IceID",
				"IcedID",
				"Mimikatz",
				"PsExec",
				"SharpHound",
				"VegaLocker",
				"WinSCP",
				"cobeacon",
				"nmap"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8",
			"created_at": "2023-01-06T13:46:39.071873Z",
			"updated_at": "2026-04-10T02:00:03.203749Z",
			"deleted_at": null,
			"main_name": "TA2101",
			"aliases": [
				"GOLD VILLAGE",
				"Storm-0216",
				"DEV-0216",
				"UNC2198",
				"TUNNEL SPIDER",
				"Maze Team",
				"TWISTED SPIDER"
			],
			"source_name": "MISPGALAXY:TA2101",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433975,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afbd2f89aacc88e31d2fb9d810c284070e57787d.pdf",
		"text": "https://archive.orkl.eu/afbd2f89aacc88e31d2fb9d810c284070e57787d.txt",
		"img": "https://archive.orkl.eu/afbd2f89aacc88e31d2fb9d810c284070e57787d.jpg"
	}
}