{ "id": "bd64d63b-0af2-4c2c-835f-a4af7ba53599", "created_at": "2026-04-06T00:14:50.278025Z", "updated_at": "2026-04-10T03:37:26.677408Z", "deleted_at": null, "sha1_hash": "b947e14c49e89133645035cc30eafb6852af1a6c", "title": "Bamboo Spider, TA544 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71717, "plain_text": "Bamboo Spider, TA544 - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 18:58:16 UTC\nHome \u003e List all groups \u003e Bamboo Spider, TA544\n Other threat group: Bamboo Spider, TA544\nNames\nBamboo Spider (CrowdStrike)\nTA544 (Proofpoint)\nCountry [Unknown]\nMotivation Financial crime\nFirst seen 2016\nDescription\nZeus Panda, Panda Banker, or Panda is a variant of the original Zeus under the\nbanking Trojan category. Its discovery was in 2016 in Brazil around the time of the\nOlympic Games. The majority of the code is derived from the original Zeus trojan,\nand maintains the coding to carry out man-in-the-browser, keystroke logging, and\nform grabbing attacks. ZeuS Panda launches attack campaigns with a variety of\nexploit kits and loaders by way of drive-by downloads and phishing emails, and also\nhooking internet search results to infected pages. Stealth capabilities make not only\ndetecting but analyzing the malware difficult.\nGozNym has been observed to be distributed via the Avalanche botnet.\nZeus Panda has been observed to be distributed by Emotet (operated by Mummy\nSpider, TA542), Smoke Loader (operated by Smoky Spider), Cutwail (operated by\nNarwhal Spider) and Kelihos (operated by Zombie Spider).\nObserved\nSectors: Financial, Hospitality, IT, Manufacturing, Retail, Technology.\nCountries: Brazil, Canada, Germany, Italy, Japan, Netherlands, Poland, Spain, UK,\nUSA and other.\nTools used\nChthonic, Gozi ISFB, GozNym, Nymaim, Zeus OpenSSL, Zeus Panda, Smoke\nLoader, URLZone, ZLoader.\nOperations performed\nApr 2016\nAttacks against more than 24 U.S. and Canadian banks\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ea10af8f-5a02-415e-aa8f-3e1b62bcaccf\nPage 1 of 3\n\nApr 2016\nAttacks on banks in Poland\nJun 2016\nAttacks on banks in the USA\nJun 2016\nLinkedIn information used to spread banking malware in the\nNetherlands\nJul 2016\nZeus Panda Delivered By Sundown - Targets UK Banks\nAug 2016\nBanking Trojan Zeus Panda shambles into Brazil ahead of Olympics\nAug 2016\nAttacks on banks in Germany\nOct 2017\nPoisoning the Well: Banking Trojan Targets Google Search Results\nDec 2017\nZeus Panda Banking Trojan Targets Online Holiday Shoppers\nMar 2018\nPanda Banker Zeros in on Japanese Targets\nJun 2018\nZeus Panda Advanced Banking Trojan Gets Creative to Scam Affluent\nVictims in Italy\nJul 2018\nEmotet infection traffic with Zeus Panda Banker\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ea10af8f-5a02-415e-aa8f-3e1b62bcaccf\nPage 2 of 3\n\nAug 2018\nFor the past weeks our Threat Intelligence team has been following an\nenxtesive campaign, possibly operated by the same group, targeting a\nlarge amount of financial institutions, cyptocurrency wallets and the\noccasional Google and Apple accounts.\nMar 2020\nZeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy\nMay 2020\nZeus Sphinx Back in Business: Some Core Modifications Arise\nSep 2021\nTA544 Targets Italian Organizations with Ursnif Malware\nCounter operations\nMay 2019\nGozNym Malware: Cybercriminal Network Dismantled in\nInternational Operation\nApr 2022\nNotorious cybercrime gang’s botnet disrupted\nLast change to this card: 03 May 2022\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ea10af8f-5a02-415e-aa8f-3e1b62bcaccf\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ea10af8f-5a02-415e-aa8f-3e1b62bcaccf\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ea10af8f-5a02-415e-aa8f-3e1b62bcaccf" ], "report_names": [ "showcard.cgi?u=ea10af8f-5a02-415e-aa8f-3e1b62bcaccf" ], "threat_actors": [ { "id": "539855ac-def3-46a0-a490-f33abde7976f", "created_at": "2025-08-07T02:03:24.802704Z", "updated_at": "2026-04-10T02:00:03.718613Z", "deleted_at": null, "main_name": "GOLD ANDREW", "aliases": [ "Smoky Spider " ], "source_name": "Secureworks:GOLD ANDREW", "tools": [ "Smoke Loader" ], "source_id": "Secureworks", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "058823d4-60c2-42ab-a3aa-4c10f0ff37c9", "created_at": "2022-10-25T16:07:24.57064Z", "updated_at": "2026-04-10T02:00:05.036609Z", "deleted_at": null, "main_name": "Smoky Spider", "aliases": [], "source_name": "ETDA:Smoky Spider", "tools": [ "Dofoil", "Oficla", "Sasfis", "Sharik", "Smoke Loader", "SmokeLoader" ], "source_id": "ETDA", "reports": null }, { "id": "b753c6a8-a83d-47bc-829d-45e56136eb7d", "created_at": "2023-01-06T13:46:38.97802Z", "updated_at": "2026-04-10T02:00:03.169611Z", "deleted_at": null, "main_name": "GozNym", "aliases": [], "source_name": "MISPGALAXY:GozNym", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fdf30f70-537c-458d-82b2-54b4f09cea48", "created_at": "2023-01-06T13:46:39.119613Z", "updated_at": "2026-04-10T02:00:03.221272Z", "deleted_at": null, "main_name": "SMOKY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SMOKY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a8107a-f669-41af-ba79-41b1cbdc4654", "created_at": "2023-01-06T13:46:39.228649Z", "updated_at": "2026-04-10T02:00:03.25247Z", "deleted_at": null, "main_name": "BAMBOO SPIDER", "aliases": [], "source_name": "MISPGALAXY:BAMBOO SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e312df00-4c6f-44c3-b717-4b72800c7697", "created_at": "2023-01-06T13:46:39.03345Z", "updated_at": "2026-04-10T02:00:03.190159Z", "deleted_at": null, "main_name": "ZOMBIE SPIDER", "aliases": [], "source_name": "MISPGALAXY:ZOMBIE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90ec9cb-9959-455d-b558-4bafef64d645", "created_at": "2022-10-25T16:07:24.222081Z", "updated_at": "2026-04-10T02:00:04.903184Z", "deleted_at": null, "main_name": "Sphinx", "aliases": [ "APT-C-15" ], "source_name": "ETDA:Sphinx", "tools": [ "AnubisSpy", "Backdoor.Oldrea", "Bladabindi", "Fertger", "Havex", "Havex RAT", "Jorik", "Oldrea", "PEACEPIPE", "njRAT", "yellowalbatross" ], "source_id": "ETDA", "reports": null }, { "id": "cc045f52-bbdb-4fcc-8fbf-a0d8a7c5e64f", "created_at": "2022-10-25T16:07:24.519535Z", "updated_at": "2026-04-10T02:00:05.019918Z", "deleted_at": null, "main_name": "Narwhal Spider", "aliases": [ "Gold Essex", "Storm-0302" ], "source_name": "ETDA:Narwhal Spider", "tools": [ "Cutwail", "Pushdo" ], "source_id": "ETDA", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "3c3ca3f2-9a6a-463e-869c-e9bf02d398d7", "created_at": "2022-10-25T16:07:24.59432Z", "updated_at": "2026-04-10T02:00:05.047762Z", "deleted_at": null, "main_name": "Zombie Spider", "aliases": [], "source_name": "ETDA:Zombie Spider", "tools": [ "Hlux", "Kelihos", "Waledac" ], "source_id": "ETDA", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "bc289ba8-bc61-474c-8462-a3f7179d97bb", "created_at": "2022-10-25T16:07:24.450609Z", "updated_at": "2026-04-10T02:00:04.996582Z", "deleted_at": null, "main_name": "Avalanche", "aliases": [], "source_name": "ETDA:Avalanche", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434490, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b947e14c49e89133645035cc30eafb6852af1a6c.pdf", "text": "https://archive.orkl.eu/b947e14c49e89133645035cc30eafb6852af1a6c.txt", "img": "https://archive.orkl.eu/b947e14c49e89133645035cc30eafb6852af1a6c.jpg" } }