{ "id": "36b02ff6-e7a7-4a9f-be46-abff5e8aae2a", "created_at": "2026-04-06T00:07:54.303858Z", "updated_at": "2026-04-10T13:11:18.42336Z", "deleted_at": null, "sha1_hash": "fb898dc494830b1ad70dd2b853d523a1991c8894", "title": "August Stealer - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47765, "plain_text": "August Stealer - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 20:28:54 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool August Stealer\r\n Tool: August Stealer\r\nNames August Stealer\r\nCategory Malware\r\nType Info stealer, Credential stealer, Exfiltration\r\nDescription\r\n(Proofpoint) During the month of November, Proofpoint observed multiple campaigns\r\nfrom TA530 - an actor we have noted for their highly personalized campaigns - targeting\r\ncustomer service and managerial staff at retailers. These campaigns utilized “fileless”\r\nloading of a relatively new malware called August through the use of Word macros and\r\nPowerShell. August contains stealing functionality targeting credentials and sensitive\r\ndocuments from the infected computer.\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\u003e\r\n\u003chttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:august%20stealer\u003e\r\nLast change to this tool card: 13 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool August Stealer\r\nChanged Name Country Observed\r\nAPT groups\r\n  TA530 [Unknown] 2016-Nov 2016  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=43a1e38a-c143-443b-a501-ec2299589720\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=43a1e38a-c143-443b-a501-ec2299589720\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=43a1e38a-c143-443b-a501-ec2299589720\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=43a1e38a-c143-443b-a501-ec2299589720" ], "report_names": [ "listgroups.cgi?u=43a1e38a-c143-443b-a501-ec2299589720" ], "threat_actors": [ { "id": "f8fd6c94-f1bf-43b8-8613-edc46ca097ee", "created_at": "2022-10-25T16:07:24.285532Z", "updated_at": "2026-04-10T02:00:04.922819Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "ETDA:TA530", "tools": [ "AbaddonPOS", "August Stealer", "Bugat v5", "CryptoWall", "Dofoil", "Dridex", "Gozi ISFB", "H1N1", "H1N1 Loader", "ISFB", "Nymaim", "Pandemyia", "Sharik", "Smoke Loader", "SmokeLoader", "SpY-Agent", "TVRAT", "TVSpy", "TeamSpy", "TeamViewerENT", "TinyLoader", "nymain" ], "source_id": "ETDA", "reports": null }, { "id": "af77521e-c35f-4030-a95d-bcd1eaeeaac1", "created_at": "2023-01-06T13:46:38.476089Z", "updated_at": "2026-04-10T02:00:02.990237Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "MISPGALAXY:TA530", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434074, "ts_updated_at": 1775826678, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb898dc494830b1ad70dd2b853d523a1991c8894.pdf", "text": "https://archive.orkl.eu/fb898dc494830b1ad70dd2b853d523a1991c8894.txt", "img": "https://archive.orkl.eu/fb898dc494830b1ad70dd2b853d523a1991c8894.jpg" } }