{ "id": "08f773f1-f98e-402e-99ed-86e8a974a110", "created_at": "2026-04-06T00:09:05.295929Z", "updated_at": "2026-04-10T03:36:11.109472Z", "deleted_at": null, "sha1_hash": "b738e5edfbbfaa8460d39e4877dfba00786f1263", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52800, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:19:31 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Dyre\n Tool: Dyre\nNames\nDyre\nDyreza\nDyzap\nDyranges\nCategory Malware\nType Banking trojan, Info stealer, Backdoor\nDescription\n(SecureWorks) In early June 2014, the Dell SecureWorks Counter Threat Unit (CTU) research team discovered the\nbanking trojan, which was being distributed by Cutwail botnet spam emails that included links to either Dropbox or\nfile storage services. The threat actors later shifted to distribution via the Upatre downloader trojan. Dyre is also kno\nDyreza, Dyzap, and Dyranges by the antivirus industry.\nDyre harvests credentials, primarily targeting online banking websites to perform Automated Clearing House (ACH\nwire fraud. The malware includes a modular architecture, man-in-the-browser functionality, and a backconnect serv\nallows threat actors to connect to a bank website through the victim's computer. The man-in-the-browser functional\nbased on a unique combination of redirects to fake websites controlled by the threat actor ('web fakes') and a dynam\ninject system that allows the threat actors to manipulate a financial institution's website content. Similar to other ban\ntrojans, Dyre hooks into the most popular web browsers to intercept traffic from a victim's system, stealing informa\nmanipulating website content before it is rendered by the browser.\nEarly Dyre versions were relatively primitive, sending command and control (C2) communications and stolen data\nunencrypted HTTP. Recent iterations of Dyre use SSL to encrypt all C2 communications, as well as a custom encry\nalgorithm. Dyre also uses RSA cryptography to digitally sign configuration files and malware plugins to prevent tam\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool Dyre\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1b27f8b4-dddf-4d58-b033-3772234bdd47\nPage 1 of 2\n\nAPT groups\r\n  Wizard Spider, Gold Blackburn 2014-May 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1b27f8b4-dddf-4d58-b033-3772234bdd47\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1b27f8b4-dddf-4d58-b033-3772234bdd47\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1b27f8b4-dddf-4d58-b033-3772234bdd47" ], "report_names": [ "listgroups.cgi?u=1b27f8b4-dddf-4d58-b033-3772234bdd47" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434145, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b738e5edfbbfaa8460d39e4877dfba00786f1263.pdf", "text": "https://archive.orkl.eu/b738e5edfbbfaa8460d39e4877dfba00786f1263.txt", "img": "https://archive.orkl.eu/b738e5edfbbfaa8460d39e4877dfba00786f1263.jpg" } }