{ "id": "4538ea1e-b106-4246-a8c1-0cc2a3be2547", "created_at": "2026-04-06T01:32:18.288304Z", "updated_at": "2026-04-10T03:36:11.180406Z", "deleted_at": null, "sha1_hash": "f1c4f53a9357d21032fbf88ca4c412829a45dfe1", "title": "Scully Spider, TA547 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63387, "plain_text": "Scully Spider, TA547 - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-06 00:24:58 UTC\r\nHome \u003e List all groups \u003e Scully Spider, TA547\r\n Other threat group: Scully Spider, TA547\r\nNames\r\nScully Spider (CrowdStrike)\r\nTA547 (Proofpoint)\r\nCountry [Unknown]\r\nMotivation Financial crime, Financial gain\r\nFirst seen 2017\r\nDescription\r\n(Proofpoint) TA547 is responsible for many other campaigns since at least\r\nNovember 2017. The other campaigns by the actor were often localized to countries\r\nsuch as Australia, Germany, the United Kingdom, and Italy. Delivered malware\r\nincluded ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos,\r\nMazar Bot, and Red Alert Android malware.\r\nIt is worth noting that samples of DanaBot found in a public malware repository\r\ncontained different campaign IDs (the “a=” parameter) than the ones we observed in\r\nthe wild, suggesting that there may be activity other than that which we observed.\r\nFinally, we should mention that DanaBot bears some similarities in its technical\r\nimplementation and choices of technology to earlier malware, in particular Reveton\r\nand CryptXXX [1], which were also written in Delphi and communicated using raw\r\nTCP to port 443. These malware strains also featured similarities in the style of C\u0026C\r\ntraffic.\r\nDanaBot has been observed to be distributed by Smoke Loader (operated by Smoky\r\nSpider).\r\nDanaBot itself has been observed to distribute CoreBot (Boson Spider), GandCrab\r\nand Sodinokibi (Pinchy Spider, Gold Southfield) and TrickBot (Wizard Spider, Gold\r\nBlackburn).\r\nObserved Sectors: Financial.\r\nCountries: Austria, Australia, Brazil, Canada, Colombia, Germany, Hong Kong, Iraq,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=23122dca-5529-4f8f-b69d-d4a31a00c20a\r\nPage 1 of 3\n\nItaly, New Zealand, Poland, Spain, Switzerland, UK, Ukraine, USA.\nTools used DanaBot, LummaC2, NetSupport Manager, Rhadamanthys, Stealc.\nOperations performed\nSep 2018\nRecently, we have spotted a surge in activity of DanaBot, a stealthy\nbanking Trojan discovered earlier this year. The malware, first\nobserved in campaigns targeting Australia and later Poland, has\napparently expanded further, with campaigns popping up in Italy,\nGermany, Austria, and as of September 2018, Ukraine.\nNov 2018\nDanaBot appears to have outgrown the banking Trojan category.\nAccording to our research, its operators have recently been\nexperimenting with cunning email-address-harvesting and spam-sending features, capable of misusing webmail accounts of existing\nvictims for further malware distribution.\nJan 2019\nThe fast-evolving, modular Trojan DanaBot has undergone further\nchanges, with the latest version featuring an entirely new\ncommunication protocol. The protocol, introduced to DanaBot at the\nend of January 2019, adds several layers of encryption to DanaBot’s\nC\u0026C communication.\nApr 2019\nDanaBot Demands a Ransom Payment\nSep 2019\nLike most of the other notable banking trojans, DanaBot continues to\nshift tactics and evolve in order to stay relevant. F5 malware\nresearchers first noticed these shifting tactics in September 2019,\nhowever, it is possible they began even earlier.\nMar 2024\nSecurity Brief: TA547 Targets German Organizations with\nRhadamanthys Stealer\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=23122dca-5529-4f8f-b69d-d4a31a00c20a\nPage 2 of 3\n\nLast change to this card: 22 April 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=23122dca-5529-4f8f-b69d-d4a31a00c20a\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=23122dca-5529-4f8f-b69d-d4a31a00c20a\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=23122dca-5529-4f8f-b69d-d4a31a00c20a" ], "report_names": [ "showcard.cgi?u=23122dca-5529-4f8f-b69d-d4a31a00c20a" ], "threat_actors": [ { "id": "539855ac-def3-46a0-a490-f33abde7976f", "created_at": "2025-08-07T02:03:24.802704Z", "updated_at": "2026-04-10T02:00:03.718613Z", "deleted_at": null, "main_name": "GOLD ANDREW", "aliases": [ "Smoky Spider " ], "source_name": "Secureworks:GOLD ANDREW", "tools": [ "Smoke Loader" ], "source_id": "Secureworks", "reports": null }, { "id": "058823d4-60c2-42ab-a3aa-4c10f0ff37c9", "created_at": "2022-10-25T16:07:24.57064Z", "updated_at": "2026-04-10T02:00:05.036609Z", "deleted_at": null, "main_name": "Smoky Spider", "aliases": [], "source_name": "ETDA:Smoky Spider", "tools": [ "Dofoil", "Oficla", "Sasfis", "Sharik", "Smoke Loader", "SmokeLoader" ], "source_id": "ETDA", "reports": null }, { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "ab35254c-b3f8-4b45-9413-01591ba7b5f4", "created_at": "2023-01-06T13:46:39.231425Z", "updated_at": "2026-04-10T02:00:03.253352Z", "deleted_at": null, "main_name": "BOSON SPIDER", "aliases": [], "source_name": "MISPGALAXY:BOSON SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "fdf30f70-537c-458d-82b2-54b4f09cea48", "created_at": "2023-01-06T13:46:39.119613Z", "updated_at": "2026-04-10T02:00:03.221272Z", "deleted_at": null, "main_name": "SMOKY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SMOKY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "a95ead6e-d506-4929-a0dd-1a7afb19b84e", "created_at": "2022-10-25T16:07:24.461901Z", "updated_at": "2026-04-10T02:00:04.999569Z", "deleted_at": null, "main_name": "Boson Spider", "aliases": [], "source_name": "ETDA:Boson Spider", "tools": [ "CoreBot" ], "source_id": "ETDA", "reports": null }, { "id": "7961bf6e-e429-484c-93e2-bd1d36fa5588", "created_at": "2023-01-06T13:46:39.275053Z", "updated_at": "2026-04-10T02:00:03.270128Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [], "source_name": "MISPGALAXY:GOLD SOUTHFIELD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02ef8063-7ad4-42ba-a646-97210000f6b5", "created_at": "2024-06-19T02:03:08.117993Z", "updated_at": "2026-04-10T02:00:03.614663Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "" ], "source_name": "Secureworks:GOLD SOUTHFIELD", "tools": [ "REvil" ], "source_id": "Secureworks", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b3070c7b-c1e8-462c-94f1-62a0d2bdbc67", "created_at": "2023-01-06T13:46:39.116254Z", "updated_at": "2026-04-10T02:00:03.218594Z", "deleted_at": null, "main_name": "SCULLY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SCULLY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439138, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f1c4f53a9357d21032fbf88ca4c412829a45dfe1.pdf", "text": "https://archive.orkl.eu/f1c4f53a9357d21032fbf88ca4c412829a45dfe1.txt", "img": "https://archive.orkl.eu/f1c4f53a9357d21032fbf88ca4c412829a45dfe1.jpg" } }