{ "id": "99e3bd23-33c7-439d-9364-518c7abd7664", "created_at": "2026-04-06T00:09:51.480451Z", "updated_at": "2026-04-10T03:35:16.935405Z", "deleted_at": null, "sha1_hash": "e291f615a30f4e1e0f738673d4375af64c99b363", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47854, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:48:20 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool GCMAN\n Tool: GCMAN\nNames GCMAN\nCategory Malware\nType Banking trojan\nDescription\n(Kaspersky) The initial infection mechanism is handled by spear-phishing. A financial\ninstitution is targeted with e-mails carrying a malicious RAR archive. When the RAR\narchive is opened an executable is started instead of a Microsoft Word document,\nresulting in infection. The group also plants a cron script into the bank's server to generate\nfinancial transactions at the rate of $200 per minute.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool GCMAN\nChanged Name Country Observed\nAPT groups\n GCMAN 2016\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e825b6cc-cf52-4c62-936c-8ca786176b8d\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e825b6cc-cf52-4c62-936c-8ca786176b8d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e825b6cc-cf52-4c62-936c-8ca786176b8d\r\nPage 2 of 2\n\nAPT groups GCMAN 2016 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e825b6cc-cf52-4c62-936c-8ca786176b8d" ], "report_names": [ "listgroups.cgi?u=e825b6cc-cf52-4c62-936c-8ca786176b8d" ], "threat_actors": [ { "id": "3b185161-668f-4cac-b930-9482f9706848", "created_at": "2022-10-25T16:07:23.670892Z", "updated_at": "2026-04-10T02:00:04.706866Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "G0036" ], "source_name": "ETDA:GCMAN", "tools": [ "GCMAN", "Meterpreter", "VNC", "Virtual Network Computing" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "1e408839-27ce-4f52-b7c6-d0a700e54027", "created_at": "2023-01-06T13:46:38.479274Z", "updated_at": "2026-04-10T02:00:02.991414Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "G0036" ], "source_name": "MISPGALAXY:GCMAN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fc11deee-6db4-46a9-a3d5-c02bb960cc51", "created_at": "2022-10-25T15:50:23.277991Z", "updated_at": "2026-04-10T02:00:05.400194Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "GCMAN" ], "source_name": "MITRE:GCMAN", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434191, "ts_updated_at": 1775792116, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e291f615a30f4e1e0f738673d4375af64c99b363.pdf", "text": "https://archive.orkl.eu/e291f615a30f4e1e0f738673d4375af64c99b363.txt", "img": "https://archive.orkl.eu/e291f615a30f4e1e0f738673d4375af64c99b363.jpg" } }