{ "id": "b5c2cb81-3b05-4c52-81d8-92d6063ebcce", "created_at": "2026-04-06T00:17:32.421074Z", "updated_at": "2026-04-10T03:36:10.99283Z", "deleted_at": null, "sha1_hash": "b8f1998722bafacf11cd0bf046d4c8739c48fe2b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 84192, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:03:35 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Conti\n Tool: Conti\nNames Conti\nCategory Malware\nType Ransomware, Big Game Hunting\nDescription\n(Carbon Black) Conti uses a large number of independent threads to perform encryption,\nallowing up to 32 simultaneous encryption efforts, resulting in faster encryption\ncompared to many other families.\nConti also utilizes command line options to allow for control over how it scans for data,\nsuggesting that the malware may commonly be spread and directly controlled by an\nadversary. This control introduces the novel ability of skipping the encryption of local\nfiles and only targeting networked SMB shares, including those from IP addresses\nspecifically provided by the adversary. This is a very rare ability that’s previously been\nseen with the Sodinokibi ransomware family.\nAnother new technique, documented in very few ransomware families, is the use of the\nWindows Restart Manager to ensure that all files can be encrypted. Just as Windows will\nattempt to cleanly shut down open applications when the operating system is rebooted,\nthe ransomware will utilize the same functionality to cleanly close the application that\nhas a file locked. By doing so, the file is freed up for encryption.\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6c920e0b-25d1-4496-b7d2-4cdf5b9d0b9b\nPage 1 of 3\n\nMITRE ATT\u0026CK Malpedia AlienVault OTX Playbook\nLast change to this tool card: 05 September 2023\nDownload this tool card in JSON format\nAll groups using tool Conti\nChanged Name Country Observed\nAPT groups\n Wizard Spider, Gold Blackburn 2014-May 2025\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6c920e0b-25d1-4496-b7d2-4cdf5b9d0b9b\nPage 2 of 3\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6c920e0b-25d1-4496-b7d2-4cdf5b9d0b9b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6c920e0b-25d1-4496-b7d2-4cdf5b9d0b9b\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6c920e0b-25d1-4496-b7d2-4cdf5b9d0b9b" ], "report_names": [ "listgroups.cgi?u=6c920e0b-25d1-4496-b7d2-4cdf5b9d0b9b" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434652, "ts_updated_at": 1775792170, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b8f1998722bafacf11cd0bf046d4c8739c48fe2b.pdf", "text": "https://archive.orkl.eu/b8f1998722bafacf11cd0bf046d4c8739c48fe2b.txt", "img": "https://archive.orkl.eu/b8f1998722bafacf11cd0bf046d4c8739c48fe2b.jpg" } }