{ "id": "8fe9e594-b88d-4bd0-b433-f7951a7afd34", "created_at": "2026-04-06T00:08:38.484488Z", "updated_at": "2026-04-10T03:35:43.304154Z", "deleted_at": null, "sha1_hash": "bda6bb42ed1d0706f8041a11904338764cadd87e", "title": "Mallard Spider - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59805, "plain_text": "Mallard Spider - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 13:06:51 UTC\nHome \u003e List all groups \u003e Mallard Spider\n APT group: Mallard Spider\nNames\nMallard Spider (CrowdStrike)\nGold Lagoon (SecureWorks)\nCountry [Unknown]\nMotivation Financial crime, Financial gain\nFirst seen 2008\nDescription\n(The Hacker News) First documented in 2008, Qbot (aka QuakBot, QakBot, or\nPinkslipbot) has evolved over the years from an information stealer to a 'Swiss Army\nknife' adept in delivering other kinds of malware, including Prolock ransomware,\nand even remotely connect to a target's Windows system to carry out banking\ntransactions from the victim's IP address.\nAttackers usually infect victims using phishing techniques to lure victims to\nwebsites that use exploits to inject Qbot via a dropper.\nQakBot has been observed to be distributed by Emotet (operated by Mummy Spider,\nTA542).\nObserved\nTools used Egregor, Mimikatz, ProLock, QakBot.\nOperations performed\nMar 2020\nPwndLocker Fixes Crypto Bug, Rebrands as ProLock Ransomware\nMar 2020\nRansomware Attack Renders LaSalle County Government Computers\nUnusable\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4233110f-f984-47ac-80fe-7988a4916505\nPage 1 of 3\n\nApr 2020\nQBot malware is back replacing IcedID in malspam campaigns\nMay 2020\nFBI warns of ProLock ransomware decryptor not working properly\nMay 2020\nRansomware Hit ATM Giant Diebold Nixdorf\nMay 2020\nProLock Ransomware teams up with QakBot trojan for network\naccess\nAug 2020\nQbot steals your email threads again to infect other victims\nSep 2020\nFBI issues second alert about ProLock ransomware stealing data\nSep 2020\nProLock ransomware increases payment demand and victim count\nOct 2020\nQBot uses Windows Defender Antivirus phishing bait to infect PCs\nNov 2020\nQBot phishing lures victims using US election interference emails\nNov 2020\nQBot partners with Egregor ransomware in bot-fueled attacks\nDec 2020\nQbot malware switched to stealthy new Windows autostart method\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4233110f-f984-47ac-80fe-7988a4916505\nPage 2 of 3\n\nLast change to this card: 10 August 2021\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4233110f-f984-47ac-80fe-7988a4916505\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4233110f-f984-47ac-80fe-7988a4916505\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4233110f-f984-47ac-80fe-7988a4916505" ], "report_names": [ "showcard.cgi?u=4233110f-f984-47ac-80fe-7988a4916505" ], "threat_actors": [ { "id": "aa5b200f-a6c6-4d17-bc65-911d9a7bf4ef", "created_at": "2022-10-25T16:07:23.866039Z", "updated_at": "2026-04-10T02:00:04.765416Z", "deleted_at": null, "main_name": "Mallard Spider", "aliases": [ "Gold Lagoon" ], "source_name": "ETDA:Mallard Spider", "tools": [ "Egregor", "Mimikatz", "Oakboat", "PinkSlip", "Pinkslipbot", "ProLock", "PwndLocker", "QakBot", "Qbot", "QuackBot", "QuakBot" ], "source_id": "ETDA", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "698f4ba6-a3da-4b06-98b2-863b12a15e83", "created_at": "2022-10-25T16:47:55.778377Z", "updated_at": "2026-04-10T02:00:03.615699Z", "deleted_at": null, "main_name": "GOLD LAGOON", "aliases": [ "" ], "source_name": "Secureworks:GOLD LAGOON", "tools": [ "QakBot" ], "source_id": "Secureworks", "reports": null }, { "id": "d5cb8d20-b5b9-4ec6-9660-3dded9bd3c89", "created_at": "2023-01-06T13:46:39.204681Z", "updated_at": "2026-04-10T02:00:03.245695Z", "deleted_at": null, "main_name": "MALLARD SPIDER", "aliases": [ "GOLD LAGOON" ], "source_name": "MISPGALAXY:MALLARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434118, "ts_updated_at": 1775792143, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bda6bb42ed1d0706f8041a11904338764cadd87e.pdf", "text": "https://archive.orkl.eu/bda6bb42ed1d0706f8041a11904338764cadd87e.txt", "img": "https://archive.orkl.eu/bda6bb42ed1d0706f8041a11904338764cadd87e.jpg" } }