{ "id": "9efb7cd4-5255-4318-884c-1f235f967392", "created_at": "2026-04-06T00:16:15.999417Z", "updated_at": "2026-04-10T03:35:17.660991Z", "deleted_at": null, "sha1_hash": "fd66d4972458f33ebf8cd2898bec70cb726cd287", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45913, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:28:09 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CapturaTela\n Tool: CapturaTela\nNames CapturaTela\nCategory Malware\nType Info stealer\nDescription\n(Palo Alto) In December 2018, Palo Alto Networks Unit 42 researchers identified an\nongoing campaign with a strong focus on the hospitality sector, specifically on hotel\nreservations. Although our initial analysis didn’t show any novel or advanced techniques,\nwe did observe strong persistence during the campaign that triggered our curiosity.\nWe followed network traces and pivoted on the information left behind by this actor, such\nas open directories, document metadata, and binary peculiarities, which enabled us to find\na custom-made piece of malware, that we named “CapturaTela”. Our discovery of this\nmalware family shows the reason for the persistent focus on hotel reservations as a\nprimary vector: stealing credit card information from customers.\nInformation\nAlienVault OTX Last change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool CapturaTela\nChanged Name Country Observed\nAPT groups\n Operation Comando [Unknown] 2018\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=122697a3-bdef-49b8-94fb-e0f3419c0752\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=122697a3-bdef-49b8-94fb-e0f3419c0752\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=122697a3-bdef-49b8-94fb-e0f3419c0752\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=122697a3-bdef-49b8-94fb-e0f3419c0752" ], "report_names": [ "listgroups.cgi?u=122697a3-bdef-49b8-94fb-e0f3419c0752" ], "threat_actors": [ { "id": "e819f7c1-855b-4834-b30c-493832336ddb", "created_at": "2022-10-25T16:07:23.939418Z", "updated_at": "2026-04-10T02:00:04.796807Z", "deleted_at": null, "main_name": "Operation Comando", "aliases": [], "source_name": "ETDA:Operation Comando", "tools": [ "AsyncRAT", "Atros2.CKPN", "Bladabindi", "CapturaTela", "Jorik", "LimeRAT", "Nancrat", "NanoCore", "NanoCore RAT", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Socmer", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "e1e83b71-854a-4ddf-82ed-141c1d151c3c", "created_at": "2023-01-06T13:46:38.934536Z", "updated_at": "2026-04-10T02:00:03.150803Z", "deleted_at": null, "main_name": "Operation Comando", "aliases": [], "source_name": "MISPGALAXY:Operation Comando", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434575, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd66d4972458f33ebf8cd2898bec70cb726cd287.pdf", "text": "https://archive.orkl.eu/fd66d4972458f33ebf8cd2898bec70cb726cd287.txt", "img": "https://archive.orkl.eu/fd66d4972458f33ebf8cd2898bec70cb726cd287.jpg" } }