{ "id": "4da55ba4-cf38-42dd-b7e3-4508b7d25604", "created_at": "2026-04-06T00:14:29.018037Z", "updated_at": "2026-04-10T13:13:02.582636Z", "deleted_at": null, "sha1_hash": "c96dcdcad57079517c53df5128020e7bcd708864", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49911, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:39:53 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ATMRipper\n Tool: ATMRipper\nNames\nATMRipper\nRipper\nRipper ATM\nCategory Malware\nType ATM malware\nDescription\n(Trend Micro) Last August , security researchers released a blog discussing a new ATM\nmalware family called Ripper which they believe was involved in the recent ATM attacks\nin Thailand. Large numbers of ATMs were also temporarily shut down as a precautionary\nmeasure.\nThat analysis gave an overview of the techniques used by the malware, the fact that it\ntargets three major ATM vendors, and compared Ripper to previous ATM malware\nfamilies. Their analysis was based on the file with MD5 hash\n15632224b7e5ca0ccb0a042daf2adc13. This file was uploaded to Virustotal by a user in\nThailand on August 23.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 25 May 2020\nDownload this tool card in JSON format\nAll groups using tool ATMRipper\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c80d3d14-4c5d-47e8-a960-fb9f4d13d05a\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Cobalt Group 2016-Oct 2019\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c80d3d14-4c5d-47e8-a960-fb9f4d13d05a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c80d3d14-4c5d-47e8-a960-fb9f4d13d05a\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c80d3d14-4c5d-47e8-a960-fb9f4d13d05a" ], "report_names": [ "listgroups.cgi?u=c80d3d14-4c5d-47e8-a960-fb9f4d13d05a" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434469, "ts_updated_at": 1775826782, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c96dcdcad57079517c53df5128020e7bcd708864.pdf", "text": "https://archive.orkl.eu/c96dcdcad57079517c53df5128020e7bcd708864.txt", "img": "https://archive.orkl.eu/c96dcdcad57079517c53df5128020e7bcd708864.jpg" } }