{
	"id": "92d179fe-222c-4e99-b4ff-29bd05c96ea1",
	"created_at": "2026-04-06T00:07:03.312031Z",
	"updated_at": "2026-04-10T03:37:23.815689Z",
	"deleted_at": null,
	"sha1_hash": "e0af00ecfb7f5f9c0f9a1dbe83d853892ee12f33",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52186,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:44:14 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Valak\n Tool: Valak\nNames\nValak\nValek\nCategory Malware\nType Backdoor, Info stealer, Loader\nDescription\n(Cybereason) The Valak Malware: The Valak Malware is a sophisticated malware\npreviously classified as a malware loader. Though it was first observed in late 2019, the\nCybereason Nocturnus team has investigated a series of dramatic changes, an evolution\nof over 30 different versions in less than six months. This research shows that Valak is\nmore than just a loader for other malware, and can also be used independently as an\ninformation stealer to target individuals and enterprises.\nTargeting Enterprises: More recent versions of Valak target Microsoft Exchange servers\nto steal enterprise mailing information and passwords along with the enterprise\ncertificate. This has the potential to access critical enterprise accounts, causing damage\nto organizations, brand degradation, and ultimately a loss of consumer trust.\nTargets US and Germany: This campaign is specifically targeting enterprises in the US\nand Germany.\nWith a Rich Modular Architecture: Valak’s basic capabilities are extended with a\nnumber of plugin components for reconnaissance and information stealing.\nUsing Fast Development Cycles: Valak has evolved from a loader to a sophisticated,\nmulti-stage modular malware that collects plugins from its C2 server to expand its\ncapabilities. The Cybereason Nocturnus team has observed over 30 different versions in\nabout 6 months.\nDesigned for Stealth: Valak is a stealthy malware that uses advanced evasive techniques\nlike ADS and hiding components in the registry. In addition, over time the developers of\nValak chose to abandon using PowerShell, which can be detected and prevented by\nmodern security products.\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5ef667f0-3718-4a30-b4a8-a10d4ee16c70\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Valak\nChanged Name Country Observed\nOther groups\n TA551, Shathak 2016-Jan 2021\n1 group listed (0 APT, 1 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5ef667f0-3718-4a30-b4a8-a10d4ee16c70\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5ef667f0-3718-4a30-b4a8-a10d4ee16c70\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5ef667f0-3718-4a30-b4a8-a10d4ee16c70"
	],
	"report_names": [
		"listgroups.cgi?u=5ef667f0-3718-4a30-b4a8-a10d4ee16c70"
	],
	"threat_actors": [
		{
			"id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f",
			"created_at": "2022-10-25T15:50:23.579601Z",
			"updated_at": "2026-04-10T02:00:05.360509Z",
			"deleted_at": null,
			"main_name": "TA551",
			"aliases": [
				"TA551",
				"GOLD CABIN",
				"Shathak"
			],
			"source_name": "MITRE:TA551",
			"tools": [
				"QakBot",
				"IcedID",
				"Valak",
				"Ursnif"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "40b623c7-b621-48db-b55b-dd4f6746fbc6",
			"created_at": "2024-06-19T02:03:08.017681Z",
			"updated_at": "2026-04-10T02:00:03.665818Z",
			"deleted_at": null,
			"main_name": "GOLD CABIN",
			"aliases": [
				"Shathak",
				"TA551 "
			],
			"source_name": "Secureworks:GOLD CABIN",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "90f216f2-4897-46fc-bb76-3acae9d112ca",
			"created_at": "2023-01-06T13:46:39.248936Z",
			"updated_at": "2026-04-10T02:00:03.260122Z",
			"deleted_at": null,
			"main_name": "GOLD CABIN",
			"aliases": [
				"Shakthak",
				"TA551",
				"ATK236",
				"G0127",
				"Monster Libra"
			],
			"source_name": "MISPGALAXY:GOLD CABIN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68",
			"created_at": "2022-10-25T16:07:24.578896Z",
			"updated_at": "2026-04-10T02:00:05.039955Z",
			"deleted_at": null,
			"main_name": "TA551",
			"aliases": [
				"G0127",
				"Gold Cabin",
				"Monster Libra",
				"Shathak",
				"TA551"
			],
			"source_name": "ETDA:TA551",
			"tools": [
				"BokBot",
				"CRM",
				"Gozi",
				"Gozi CRM",
				"IceID",
				"IcedID",
				"Papras",
				"Snifula",
				"Ursnif",
				"Valak",
				"Valek"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434023,
	"ts_updated_at": 1775792243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e0af00ecfb7f5f9c0f9a1dbe83d853892ee12f33.pdf",
		"text": "https://archive.orkl.eu/e0af00ecfb7f5f9c0f9a1dbe83d853892ee12f33.txt",
		"img": "https://archive.orkl.eu/e0af00ecfb7f5f9c0f9a1dbe83d853892ee12f33.jpg"
	}
}