{
	"id": "21ac69d3-a2ec-448a-b40a-d175fec49f08",
	"created_at": "2026-04-06T03:37:49.59174Z",
	"updated_at": "2026-04-10T03:25:28.198342Z",
	"deleted_at": null,
	"sha1_hash": "be346ca13cde07d8b240b11aa2c8c5cda9b9652e",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47914,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 02:57:48 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool RTM\n Tool: RTM\nNames\nRTM\nRTM Banker\nRedaman\nCategory Malware\nType Banking trojan, Backdoor, Keylogger, Info stealer, Downloader, Exfiltration\nDescription\nRTM Banker also known as Redaman was first blogged about in February 2017 by\nESET. The malware is written in Delphi and shows some similarities (like process list)\nwith Buhtrap. It uses a slightly modified version of RC4 to encrypt its strings, network\ndata, configuration and modules, according to ESET.\nInformation MITRE ATT\u0026CK Malpedia\nLast change to this tool card: 22 May 2020\nDownload this tool card in JSON format\nAll groups using tool RTM\nChanged Name Country Observed\nAPT groups\n RTM 2015\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd9ceb37-fbda-4946-9e69-c83de7ecb1d0\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd9ceb37-fbda-4946-9e69-c83de7ecb1d0\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd9ceb37-fbda-4946-9e69-c83de7ecb1d0\r\nPage 2 of 2\n\nAPT groups  RTM 2015 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd9ceb37-fbda-4946-9e69-c83de7ecb1d0"
	],
	"report_names": [
		"listgroups.cgi?u=fd9ceb37-fbda-4946-9e69-c83de7ecb1d0"
	],
	"threat_actors": [
		{
			"id": "01d569b1-f089-4a8f-8396-85078b93da26",
			"created_at": "2023-01-06T13:46:38.411615Z",
			"updated_at": "2026-04-10T02:00:02.963422Z",
			"deleted_at": null,
			"main_name": "BuhTrap",
			"aliases": [],
			"source_name": "MISPGALAXY:BuhTrap",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb",
			"created_at": "2022-10-25T16:07:23.427162Z",
			"updated_at": "2026-04-10T02:00:04.594113Z",
			"deleted_at": null,
			"main_name": "Buhtrap",
			"aliases": [
				"Buhtrap",
				"Operation TwoBee",
				"Ratopak Spider",
				"UAC-0008"
			],
			"source_name": "ETDA:Buhtrap",
			"tools": [
				"AmmyyRAT",
				"Buhtrap",
				"CottonCastle",
				"FlawedAmmyy",
				"NSIS",
				"Niteris EK",
				"Nullsoft Scriptable Install System",
				"Ratopak"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446669,
	"ts_updated_at": 1775791528,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be346ca13cde07d8b240b11aa2c8c5cda9b9652e.pdf",
		"text": "https://archive.orkl.eu/be346ca13cde07d8b240b11aa2c8c5cda9b9652e.txt",
		"img": "https://archive.orkl.eu/be346ca13cde07d8b240b11aa2c8c5cda9b9652e.jpg"
	}
}