{ "id": "19b7b3cb-6f12-4570-b4fa-ab3dc0e8589f", "created_at": "2026-04-06T00:06:12.477444Z", "updated_at": "2026-04-10T13:12:26.083984Z", "deleted_at": null, "sha1_hash": "c18cf754ba426dab69770439ae4e61ac5cb84ae6", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45376, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:02:02 UTC\r\n APT group: TA2541\r\nNames TA2541 (Proofpoint)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2017\r\nDescription\r\n(Proofpoint) TA2541 is a persistent cybercriminal actor that distributes various remote access\r\ntrojans (RATs) targeting the aviation, aerospace, transportation, and defense industries, among\r\nothers. Proofpoint has tracked this threat actor since 2017, and it has used consistent tactics,\r\ntechniques, and procedures (TTPs) in that time. Entities in the targeted sectors should be aware\r\nof the actor's TTPs and use the information provided for hunting and detection.\r\nObserved Sectors: Aviation, Aerospace, Defense, Transportation.\r\nTools used\r\nAgent Tesla, AsyncRAT, Ave Maria, DarkRAT, H-Worm, Imminent Monitor RAT, Luminosity\r\nRAT, NetWire RC, Parallax RAT, RevengeRAT.\r\nInformation \u003chttps://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\u003e\r\nLast change to this card: 03 April 2022\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c830c769-f4d2-4c55-a77b-14632333e7d2\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c830c769-f4d2-4c55-a77b-14632333e7d2\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c830c769-f4d2-4c55-a77b-14632333e7d2" ], "report_names": [ "showcard.cgi?u=c830c769-f4d2-4c55-a77b-14632333e7d2" ], "threat_actors": [ { "id": "99468ac6-ccfd-4cd8-b726-791600e61431", "created_at": "2023-11-01T02:01:06.647272Z", "updated_at": "2026-04-10T02:00:05.313262Z", "deleted_at": null, "main_name": "TA2541", "aliases": [ "TA2541" ], "source_name": "MITRE:TA2541", "tools": [ "Snip3", "Revenge RAT", "jRAT", "WarzoneRAT", "Imminent Monitor", "AsyncRAT", "NETWIRE", "Agent Tesla", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "97dc332f-2241-4755-ae33-54e5eff3990a", "created_at": "2023-01-06T13:46:39.307201Z", "updated_at": "2026-04-10T02:00:03.282272Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "MISPGALAXY:TA2541", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "878ce40c-9fbc-4cff-a5c4-771086979fa7", "created_at": "2022-10-25T16:07:24.264056Z", "updated_at": "2026-04-10T02:00:04.915395Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "ETDA:TA2541", "tools": [ "AVE_MARIA", "AgenTesla", "Agent Tesla", "AgentTesla", "AsyncRAT", "Ave Maria", "AveMariaRAT", "DarkRAT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Imminent Monitor", "Imminent Monitor RAT", "Iniduoh", "Jenxcus", "Kognito", "Luminosity RAT", "LuminosityLink", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Njw0rm", "Origin Logger", "Parallax", "Parallax RAT", "ParallaxRAT", "Recam", "Revenge RAT", "RevengeRAT", "Revetrat", "WSHRAT", "ZPAQ", "avemaria", "dinihou", "dunihi" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433972, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c18cf754ba426dab69770439ae4e61ac5cb84ae6.pdf", "text": "https://archive.orkl.eu/c18cf754ba426dab69770439ae4e61ac5cb84ae6.txt", "img": "https://archive.orkl.eu/c18cf754ba426dab69770439ae4e61ac5cb84ae6.jpg" } }