{ "id": "d6855f1a-aef0-4d78-ac54-4abd776450a1", "created_at": "2026-04-06T00:06:45.511428Z", "updated_at": "2026-04-10T03:23:15.600913Z", "deleted_at": null, "sha1_hash": "be0a28ddb83c06a48f524f524701e349998725a2", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48055, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:10:54 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Corkow\n Tool: Corkow\nNames Corkow\nCategory Malware\nType Banking trojan\nDescription\n(ESET) The malware, which has been in the wild since at least 2011, has demonstrated\ncontinuous activity in the past year, infecting thousands of users. Version numbering of the\nvarious Trojan modules is another indicator that the malware authors are continually\ndeveloping the trojan.\nThe most common infection vector – drive-by downloads – has been used to spread the\nmalware.\nThis Russian tool for committing bank fraud shares many characteristics with other malware\nfamilies with a similar purpose, such as Zeus (also known as Zbot), JHUHUGIT, HesperBot,\nor Qadars, for example, but also contains some unique functionality.\nSeveral features, like enumeration of smart cards, targeting of dedicated banking applications\nmostly used by corporate customers and looking for user activity regarding online banking\nsites and applications, electronic trading platform sites and applications and so forth, all\nsuggest that the attackers are focusing their sights on financial professionals and enterprises,\nwhose bank accounts usually hold a higher balance than those of most individuals.\nInformation\nLast change to this tool card: 22 April 2020\nDownload this tool card in JSON format\nAll groups using tool Corkow\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2fb7e563-76f5-4ba4-a9e8-51f509dc804c\nPage 1 of 2\n\nAPT groups\r\n  Corkow, Metel 2011  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2fb7e563-76f5-4ba4-a9e8-51f509dc804c\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2fb7e563-76f5-4ba4-a9e8-51f509dc804c\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2fb7e563-76f5-4ba4-a9e8-51f509dc804c" ], "report_names": [ "listgroups.cgi?u=2fb7e563-76f5-4ba4-a9e8-51f509dc804c" ], "threat_actors": [ { "id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa", "created_at": "2022-10-25T16:07:23.494355Z", "updated_at": "2026-04-10T02:00:04.629595Z", "deleted_at": null, "main_name": "Corkow", "aliases": [ "Corkow", "Metel" ], "source_name": "ETDA:Corkow", "tools": [ "Corkow", "Metel" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434005, "ts_updated_at": 1775791395, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/be0a28ddb83c06a48f524f524701e349998725a2.pdf", "text": "https://archive.orkl.eu/be0a28ddb83c06a48f524f524701e349998725a2.txt", "img": "https://archive.orkl.eu/be0a28ddb83c06a48f524f524701e349998725a2.jpg" } }