{
	"id": "e4cbf8df-cecf-418c-a048-969317561685",
	"created_at": "2026-04-06T00:19:10.841069Z",
	"updated_at": "2026-04-10T03:31:09.469146Z",
	"deleted_at": null,
	"sha1_hash": "bf0a9da6b873b3f9a165dedc094a0a0fbdfe24c2",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48956,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:03:48 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Cridex\n Tool: Cridex\nNames\nCridex\nBugat\nFeodo\nCategory Malware\nType Banking trojan, Credential stealer, Worm\nDescription\n(Kaspersky) Dridex made its first appearance as an independent malicious program (under\nthe name “Cridex”) around September 2011. An analysis of a Cridex sample (MD5:\n78cc821b5acfc017c855bc7060479f84) demonstrated that, even in its early days, the\nmalware could receive dynamic configuration files, use web injections to steal money, and\nwas able to infect USB media. This ability influenced the name under which the “zero”\nversion of Cridex was detected — Worm.Win32.Cridex.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 24 May 2020\nDownload this tool card in JSON format\nAll groups using tool Cridex\nChanged Name Country Observed\nAPT groups\n Indrik Spider 2007-Oct 2024\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a4d512bf-990c-4bb4-93bc-6cca12d429f9\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a4d512bf-990c-4bb4-93bc-6cca12d429f9\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a4d512bf-990c-4bb4-93bc-6cca12d429f9\r\nPage 2 of 2\n\nAPT groups Indrik Spider 2007-Oct 2024 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a4d512bf-990c-4bb4-93bc-6cca12d429f9"
	],
	"report_names": [
		"listgroups.cgi?u=a4d512bf-990c-4bb4-93bc-6cca12d429f9"
	],
	"threat_actors": [
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9",
			"created_at": "2023-01-06T13:46:38.839083Z",
			"updated_at": "2026-04-10T02:00:03.117987Z",
			"deleted_at": null,
			"main_name": "INDRIK SPIDER",
			"aliases": [
				"Manatee Tempest"
			],
			"source_name": "MISPGALAXY:INDRIK SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434750,
	"ts_updated_at": 1775791869,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf0a9da6b873b3f9a165dedc094a0a0fbdfe24c2.pdf",
		"text": "https://archive.orkl.eu/bf0a9da6b873b3f9a165dedc094a0a0fbdfe24c2.txt",
		"img": "https://archive.orkl.eu/bf0a9da6b873b3f9a165dedc094a0a0fbdfe24c2.jpg"
	}
}