{
	"id": "b1043cc2-1a99-4c72-bea6-5734f7e6515f",
	"created_at": "2026-04-06T00:19:22.237362Z",
	"updated_at": "2026-04-10T13:12:09.861986Z",
	"deleted_at": null,
	"sha1_hash": "02e469a4db0ec879daf9774b0ae8b4758c7bf69b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46750,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:00:57 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BoneSpy\r\n Tool: BoneSpy\r\nNames BoneSpy\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer\r\nDescription\r\n(Lookout) The BoneSpy family showed evidence of continuous development between roughly\r\nJanuary and October 2022, after which samples began using consistent lure theming and code\r\nstructure. Earlier samples from between January and September 2022 used a variety of\r\ntrojanized apps such as battery charge monitoring apps, photo-gallery apps, a fake Samsung\r\nKnox app, and trojanized Telegram apps. Later, Gamaredon largely shifted to using trojanized,\r\nfully functional Telegram samples titled as “Beta” versions.\r\nInformation\r\n\u003chttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\u003e\r\nLast change to this tool card: 27 December 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool BoneSpy\r\nChanged Name Country Observed\r\nAPT groups\r\n  Gamaredon Group 2013-Feb 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=10958f58-9776-4d97-82f9-fbf37312d0d3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=10958f58-9776-4d97-82f9-fbf37312d0d3\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=10958f58-9776-4d97-82f9-fbf37312d0d3"
	],
	"report_names": [
		"listgroups.cgi?u=10958f58-9776-4d97-82f9-fbf37312d0d3"
	],
	"threat_actors": [
		{
			"id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308",
			"created_at": "2022-10-25T15:50:23.320841Z",
			"updated_at": "2026-04-10T02:00:05.356444Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"Gamaredon Group",
				"IRON TILDEN",
				"Primitive Bear",
				"ACTINIUM",
				"Armageddon",
				"Shuckworm",
				"DEV-0157",
				"Aqua Blizzard"
			],
			"source_name": "MITRE:Gamaredon Group",
			"tools": [
				"QuietSieve",
				"Pteranodon",
				"Remcos",
				"PowerPunch"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d5156b55-5d7d-4fb2-836f-861d2e868147",
			"created_at": "2023-01-06T13:46:38.557326Z",
			"updated_at": "2026-04-10T02:00:03.023048Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"ACTINIUM",
				"DEV-0157",
				"Blue Otso",
				"G0047",
				"IRON TILDEN",
				"PRIMITIVE BEAR",
				"Shuckworm",
				"UAC-0010",
				"BlueAlpha",
				"Trident Ursa",
				"Winterflounder",
				"Aqua Blizzard",
				"Actinium"
			],
			"source_name": "MISPGALAXY:Gamaredon Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "61940e18-8f90-4ecc-bc06-416c54bc60f9",
			"created_at": "2022-10-25T16:07:23.659529Z",
			"updated_at": "2026-04-10T02:00:04.703976Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"Actinium",
				"Aqua Blizzard",
				"Armageddon",
				"Blue Otso",
				"BlueAlpha",
				"Callisto",
				"DEV-0157",
				"G0047",
				"Iron Tilden",
				"Operation STEADY#URSA",
				"Primitive Bear",
				"SectorC08",
				"Shuckworm",
				"Trident Ursa",
				"UAC-0010",
				"UNC530",
				"Winterflounder"
			],
			"source_name": "ETDA:Gamaredon Group",
			"tools": [
				"Aversome infector",
				"BoneSpy",
				"DessertDown",
				"DilongTrash",
				"DinoTrain",
				"EvilGnome",
				"FRAUDROP",
				"Gamaredon",
				"GammaDrop",
				"GammaLoad",
				"GammaSteel",
				"Gussdoor",
				"ObfuBerry",
				"ObfuMerry",
				"PlainGnome",
				"PowerPunch",
				"Pteranodon",
				"Pterodo",
				"QuietSieve",
				"Remcos",
				"RemcosRAT",
				"Remote Manipulator System",
				"Remvio",
				"Resetter",
				"RuRAT",
				"SUBTLE-PAWS",
				"Socmer",
				"UltraVNC"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "236a8303-bf12-4787-b6d0-549b44271a19",
			"created_at": "2024-06-04T02:03:07.966137Z",
			"updated_at": "2026-04-10T02:00:03.706923Z",
			"deleted_at": null,
			"main_name": "IRON TILDEN",
			"aliases": [
				"ACTINIUM ",
				"Aqua Blizzard ",
				"Armageddon",
				"Blue Otso ",
				"BlueAlpha ",
				"Dancing Salome ",
				"Gamaredon",
				"Gamaredon Group",
				"Hive0051 ",
				"Primitive Bear ",
				"Shuckworm ",
				"Trident Ursa ",
				"UAC-0010 ",
				"UNC530 ",
				"WinterFlounder "
			],
			"source_name": "Secureworks:IRON TILDEN",
			"tools": [
				"Pterodo"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434762,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/02e469a4db0ec879daf9774b0ae8b4758c7bf69b.pdf",
		"text": "https://archive.orkl.eu/02e469a4db0ec879daf9774b0ae8b4758c7bf69b.txt",
		"img": "https://archive.orkl.eu/02e469a4db0ec879daf9774b0ae8b4758c7bf69b.jpg"
	}
}