{
	"id": "c7d28ae0-d94b-49ae-8107-933e35f45ca4",
	"created_at": "2026-04-06T00:19:06.116572Z",
	"updated_at": "2026-04-10T03:33:29.996511Z",
	"deleted_at": null,
	"sha1_hash": "eec6368c94024e6dcf457ca0c97d7161d9fce247",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48797,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:23:16 UTC\r\n APT group: FIN13\r\nNames FIN13 (Mandiant)\r\nCountry [Unknown]\r\nMotivation Financial crime, Financial gain\r\nFirst seen 2016\r\nDescription\r\n(Mandiant) Since 2017, Mandiant has been tracking FIN13, an industrious and versatile\r\nfinancially motivated threat actor conducting long-term intrusions in Mexico with an activity\r\ntimeframe stretching back as early as 2016. FIN13's operations have several noticeable\r\ndifferences from current cybercriminal data theft and ransomware extortion trends.\r\nAlthough their operations continue through the present day, in many ways FIN13’s intrusions\r\nare like a time capsule of traditional financial cybercrime from days past. Instead of today’s\r\nprevalent “smash and grab” ransomware groups, FIN13 takes their time to gather information\r\nto perform fraudulent money transfers. Rather than relying heavily on attack frameworks such\r\nas Cobalt Strike, the majority of FIN13 intrusions involve heavy use of custom passive\r\nbackdoors and tools to lurk in environments for the long haul.\r\nAlso see Elephant Beetle.\r\nObserved Countries: Mexico.\r\nTools used\r\nBLUEAGAVE, BUSTEDPIPE, CLOSEWATCH, DRAWSTRING, GetUserSPNS.vbs,\r\nGoBot2, HOTLANE, JSPRAT, LATCHKEY, MAILSLOT, NIGHTJAR, nmap, PORTHOLE,\r\nPowerSploit, ProcDump, SHELLSWEEP, SIXPACK, SPINOFF, SWEARJAR, Tiny SHell.\r\nInformation \u003chttps://www.mandiant.com/resources/fin13-cybercriminal-mexico\u003e\r\nLast change to this card: 25 January 2022\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9179aa71-961e-4518-bbb9-0ea87fcb31c7\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9179aa71-961e-4518-bbb9-0ea87fcb31c7\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9179aa71-961e-4518-bbb9-0ea87fcb31c7"
	],
	"report_names": [
		"showcard.cgi?u=9179aa71-961e-4518-bbb9-0ea87fcb31c7"
	],
	"threat_actors": [
		{
			"id": "575d8adf-f451-4110-b1c0-89fb463e99c0",
			"created_at": "2022-10-25T16:07:23.637493Z",
			"updated_at": "2026-04-10T02:00:04.696832Z",
			"deleted_at": null,
			"main_name": "FIN13",
			"aliases": [],
			"source_name": "ETDA:FIN13",
			"tools": [
				"BLUEAGAVE",
				"BUSTEDPIPE",
				"CLOSEWATCH",
				"GetUserSPNS.vbs",
				"GoBot2",
				"HOTLANE",
				"JSPRAT",
				"MAILSLOT",
				"PowerSploit",
				"ProcDump",
				"SHELLSWEEP",
				"SIXPACK",
				"SPINOFF",
				"SWEARJAR",
				"Tiny SHell",
				"nmap",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "50b43f44-b93c-4377-82bc-d6e9c7ef5ee6",
			"created_at": "2022-10-25T16:07:23.573424Z",
			"updated_at": "2026-04-10T02:00:04.673762Z",
			"deleted_at": null,
			"main_name": "Elephant Beetle",
			"aliases": [
				"TG2003"
			],
			"source_name": "ETDA:Elephant Beetle",
			"tools": [
				"JSPSPY",
				"MiniWebCmdShell",
				"jsp File browser",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7aa1288a-61ec-4793-b543-9fedc26b9b03",
			"created_at": "2023-11-01T02:01:06.805323Z",
			"updated_at": "2026-04-10T02:00:05.331884Z",
			"deleted_at": null,
			"main_name": "FIN13",
			"aliases": [
				"FIN13",
				"Elephant Beetle"
			],
			"source_name": "MITRE:FIN13",
			"tools": [
				"Impacket",
				"Mimikatz",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f57e32ac-9f90-471d-93ba-7f6d8b05e6c1",
			"created_at": "2023-01-06T13:46:39.29882Z",
			"updated_at": "2026-04-10T02:00:03.279184Z",
			"deleted_at": null,
			"main_name": "FIN13",
			"aliases": [
				"TG2003",
				"Elephant Beetle"
			],
			"source_name": "MISPGALAXY:FIN13",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1",
			"created_at": "2022-10-25T16:07:23.816991Z",
			"updated_at": "2026-04-10T02:00:04.758143Z",
			"deleted_at": null,
			"main_name": "Lurk",
			"aliases": [],
			"source_name": "ETDA:Lurk",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434746,
	"ts_updated_at": 1775792009,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eec6368c94024e6dcf457ca0c97d7161d9fce247.pdf",
		"text": "https://archive.orkl.eu/eec6368c94024e6dcf457ca0c97d7161d9fce247.txt",
		"img": "https://archive.orkl.eu/eec6368c94024e6dcf457ca0c97d7161d9fce247.jpg"
	}
}