{
	"id": "05a77583-61fe-4f70-ae62-08b054306c2b",
	"created_at": "2026-04-06T03:37:58.65236Z",
	"updated_at": "2026-04-10T03:35:42.344507Z",
	"deleted_at": null,
	"sha1_hash": "b7346b16463d52211663d8fb6f2cca2802a1fddb",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51078,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 03:09:55 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Defray777\n Tool: Defray777\nNames\nDefray777\nDefray\nDefray 2018\nTarget777\nRansom X\nRansomExx\nGlushkov\nCategory Malware\nType Ransomware, Big Game Hunting\nDescription\n(Palo Alto) Defray777 is an elusive family of ransomware also known as Ransom X and\nRansomExx. Although it has recently been covered in the news as a new family, it has\nbeen in use since at least 2018 and is responsible for a number of high-profile ransomware\nincidents -- as detailed in the articles we linked to.\nDefray777 runs entirely in memory, which is why there have been so few publicly\ndiscussed samples to date. In several recent incidents, Defray777 was loaded into memory\nand executed by Cobalt Strike, which was delivered by the Vatet loader.\nInformation\nMalpedia AlienVault OTX https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ec6a3a6f-e491-4831-a92f-7fd13b93331f\nPage 1 of 2\n\nLast change to this tool card: 28 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool Defray777\r\nChanged Name Country Observed\r\nAPT groups\r\n  Sprite Spider, Gold Dupont [Unknown] 2015-Nov 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ec6a3a6f-e491-4831-a92f-7fd13b93331f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ec6a3a6f-e491-4831-a92f-7fd13b93331f\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ec6a3a6f-e491-4831-a92f-7fd13b93331f"
	],
	"report_names": [
		"listgroups.cgi?u=ec6a3a6f-e491-4831-a92f-7fd13b93331f"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "27e51b73-410e-4a33-93a1-49cf8a743cf7",
			"created_at": "2023-01-06T13:46:39.210675Z",
			"updated_at": "2026-04-10T02:00:03.247656Z",
			"deleted_at": null,
			"main_name": "GOLD DUPONT",
			"aliases": [
				"SPRITE SPIDER"
			],
			"source_name": "MISPGALAXY:GOLD DUPONT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368",
			"created_at": "2022-10-25T16:07:24.225216Z",
			"updated_at": "2026-04-10T02:00:04.904162Z",
			"deleted_at": null,
			"main_name": "Sprite Spider",
			"aliases": [
				"Gold Dupont",
				"Sprite Spider"
			],
			"source_name": "ETDA:Sprite Spider",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Coroxy",
				"Defray 2018",
				"Defray777",
				"DroxiDat",
				"Glushkov",
				"LaZagne",
				"Metasploit",
				"PyXie",
				"PyXie RAT",
				"Ransom X",
				"RansomExx",
				"SharpHound",
				"Shifu",
				"SystemBC",
				"Target777",
				"Vatet",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "07775b09-acd9-498e-895f-f10063115629",
			"created_at": "2024-06-04T02:03:07.817613Z",
			"updated_at": "2026-04-10T02:00:03.650268Z",
			"deleted_at": null,
			"main_name": "GOLD DUPONT",
			"aliases": [
				"Sprite Spider ",
				"Storm-2460 "
			],
			"source_name": "Secureworks:GOLD DUPONT",
			"tools": [
				"777",
				"ArtifactExx",
				"Cobalt Strike",
				"Defray",
				"Metasploit",
				"PipeMagic",
				"PyXie",
				"Shifu",
				"SystemBC",
				"Vatet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775446678,
	"ts_updated_at": 1775792142,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b7346b16463d52211663d8fb6f2cca2802a1fddb.pdf",
		"text": "https://archive.orkl.eu/b7346b16463d52211663d8fb6f2cca2802a1fddb.txt",
		"img": "https://archive.orkl.eu/b7346b16463d52211663d8fb6f2cca2802a1fddb.jpg"
	}
}