{
	"id": "a2e140c4-1256-4893-b245-bd21b0376d95",
	"created_at": "2026-04-06T01:29:57.358409Z",
	"updated_at": "2026-04-10T03:28:53.844666Z",
	"deleted_at": null,
	"sha1_hash": "e6a20f1afc94b0df51b0426c803fe99a7cb08085",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41608,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:27:55 UTC\r\n APT group: UltraRank\r\nNames UltraRank (Group-IB)\r\nCountry [Unknown]\r\nMotivation Financial crime\r\nFirst seen 2015\r\nDescription\r\n(Group-IB) In August 2020, Group-IB published the report 'UltraRank: the\r\nunexpected twist of a JS-sniffer triple threat'. The report described the operations of\r\nthe cybercriminal group UltraRank, which in five years of activity had successfully\r\nattacked 691 eCommerce stores and 13 website service providers.\r\nIn November 2020, Group-IB experts discovered a new wave of UltraRank attacks.\r\nEven though new attacks were detected at the time, part of the group's infrastructure\r\nremained active and some sites were still infected. The cybercriminals did not use\r\nexisting domains for new attacks but switched to a new infrastructure to store\r\nmalicious code and collect intercepted payment data.\r\nObserved\r\nTools used SnifLite.\r\nOperations performed Nov 2020\r\nGroup-IB experts discovered a new wave of UltraRank attacks.\r\n\u003chttps://www.group-ib.com/blog/ultrarank\u003e\r\nInformation \u003chttps://www.group-ib.com/blog/ultrarank\u003e\r\nLast change to this card: 07 January 2021\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bc7f20e6-c4c5-4112-98f5-a36717a3ebcb\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bc7f20e6-c4c5-4112-98f5-a36717a3ebcb\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bc7f20e6-c4c5-4112-98f5-a36717a3ebcb"
	],
	"report_names": [
		"showcard.cgi?u=bc7f20e6-c4c5-4112-98f5-a36717a3ebcb"
	],
	"threat_actors": [
		{
			"id": "d802a34a-fcca-484e-8b12-1f0c721fccbe",
			"created_at": "2022-10-25T16:07:24.35515Z",
			"updated_at": "2026-04-10T02:00:04.951945Z",
			"deleted_at": null,
			"main_name": "UltraRank",
			"aliases": [],
			"source_name": "ETDA:UltraRank",
			"tools": [
				"SnifLite"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438997,
	"ts_updated_at": 1775791733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e6a20f1afc94b0df51b0426c803fe99a7cb08085.pdf",
		"text": "https://archive.orkl.eu/e6a20f1afc94b0df51b0426c803fe99a7cb08085.txt",
		"img": "https://archive.orkl.eu/e6a20f1afc94b0df51b0426c803fe99a7cb08085.jpg"
	}
}