{ "id": "cd2bdd44-352b-4336-ae7a-e2fb638059bb", "created_at": "2026-04-06T00:07:08.073771Z", "updated_at": "2026-04-10T13:13:05.871826Z", "deleted_at": null, "sha1_hash": "e9886d8096161c6909d2a4750f9657a39bb61ed9", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48381, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:53:51 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Buran\n Tool: Buran\nNames\nBuran\nVegaLocker\nVega\nCategory Malware\nType Ransomware\nDescription\n(ESET) The component that first attracted our attention is the previously unseen\nWin32/Filecoder.Buran. It is a Delphi binary that sometimes comes packed. It was mainly\ndistributed during February and March of 2019. It implements the expected behavior of\nransomware, discovering local drives and network shares and encrypting files found on these\ndevices. It doesn’t require an internet connection to encrypt its victims’ files, since it doesn’t\ncommunicate with a server to send the encryption keys. Instead, it appends a “token” at the\nend of the ransom message and demands that the victims communicate with the operators via\nemail or Bitmessage.\nTo encrypt as many important resources as possible, Filecoder.Buran starts a thread dedicated\nto killing key software that might have open handles on files containing valuable data, thus\npreventing them being encrypted. The targeted processes are mainly database management\nsystems (DBMS). Furthermore, Filecoder.Buran removes log files and backups, to make it as\ndifficult as possible for victims without any offline backups to recover their files.\nInformation\nMalpedia Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool Buran\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a9995f6b-30ae-4e92-8fbf-60375500b7db\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  TA2101, Maze Team [Unknown] 2019-Feb 2024\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a9995f6b-30ae-4e92-8fbf-60375500b7db\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a9995f6b-30ae-4e92-8fbf-60375500b7db\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a9995f6b-30ae-4e92-8fbf-60375500b7db" ], "report_names": [ "listgroups.cgi?u=a9995f6b-30ae-4e92-8fbf-60375500b7db" ], "threat_actors": [ { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434028, "ts_updated_at": 1775826785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e9886d8096161c6909d2a4750f9657a39bb61ed9.pdf", "text": "https://archive.orkl.eu/e9886d8096161c6909d2a4750f9657a39bb61ed9.txt", "img": "https://archive.orkl.eu/e9886d8096161c6909d2a4750f9657a39bb61ed9.jpg" } }