{ "id": "a59d4f79-5305-4a19-8412-f06b6b1961e6", "created_at": "2026-04-06T00:22:10.502002Z", "updated_at": "2026-04-10T03:25:18.479633Z", "deleted_at": null, "sha1_hash": "e0cae84a6b84d10ea54ce66658b0f60d6fafeaeb", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46519, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:38:58 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Z*Stealer\r\n Tool: Z*Stealer\r\nNames\r\nZ*Stealer\r\nZStealer\r\nCategory Malware\r\nType Backdoor, Credential stealer\r\nDescription\r\n(Forecepoint) ZS.DLL.C is another Delphi based library, this time for stealing both OS and\r\napplication login credentials. As with the cryptocurrency stealer, once the password scan is\r\ncompleted the extracted information is transferred to the C2 by HTTP POST request to a PHP\r\npage on the server side.\r\nBased on data retrieved from the C2 servers, the credential stealing capability seems to be\r\ncomparatively successful at retrieving data. A range of commonly used applications are\r\nsupported.\r\nInformation \u003chttps://www.forcepoint.com/blog/x-labs/quantize-or-capitalize\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.zstealer\u003e\r\nLast change to this tool card: 27 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool Z*Stealer\r\nChanged Name Country Observed\r\nOther groups\r\n  Guru Spider 2014-Mar 2018  \r\n1 group listed (0 APT, 1 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=728e24c5-46cb-438a-b2c4-b4f8fd637829\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=728e24c5-46cb-438a-b2c4-b4f8fd637829\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=728e24c5-46cb-438a-b2c4-b4f8fd637829\r\nPage 2 of 2\n\nOther groups Guru Spider 2014-Mar 2018 \n1 group listed (0 APT, 1 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=728e24c5-46cb-438a-b2c4-b4f8fd637829" ], "report_names": [ "listgroups.cgi?u=728e24c5-46cb-438a-b2c4-b4f8fd637829" ], "threat_actors": [ { "id": "64ac8ebd-4cd6-410b-83f3-f3ef25b59156", "created_at": "2022-10-25T16:07:24.494373Z", "updated_at": "2026-04-10T02:00:05.009827Z", "deleted_at": null, "main_name": "Guru Spider", "aliases": [], "source_name": "ETDA:Guru Spider", "tools": [ "MBS BTC Stealer", "MKL Pro Keylogger", "Madness PRO DDoS", "Quant Loader", "QuantLoader", "Z*Stealer", "ZStealer" ], "source_id": "ETDA", "reports": null }, { "id": "bc28c4ad-2d4b-47f4-8303-7360a9e72570", "created_at": "2023-01-06T13:46:38.900931Z", "updated_at": "2026-04-10T02:00:03.13942Z", "deleted_at": null, "main_name": "GURU SPIDER", "aliases": [], "source_name": "MISPGALAXY:GURU SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434930, "ts_updated_at": 1775791518, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e0cae84a6b84d10ea54ce66658b0f60d6fafeaeb.pdf", "text": "https://archive.orkl.eu/e0cae84a6b84d10ea54ce66658b0f60d6fafeaeb.txt", "img": "https://archive.orkl.eu/e0cae84a6b84d10ea54ce66658b0f60d6fafeaeb.jpg" } }