{ "id": "382c9b98-a770-4f6e-b3c2-838da957f970", "created_at": "2026-04-06T01:31:58.642891Z", "updated_at": "2026-04-10T03:32:21.573519Z", "deleted_at": null, "sha1_hash": "099c21c6e5b30d063d2db8fc141710e92ba73c00", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52905, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:40:36 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DragonEgg\r\n Tool: DragonEgg\r\nNames\r\nDragonEgg\r\nLightSpy\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Credential stealer, Exfiltration\r\nDescription\r\n(Lookout) Similar to WyrmSpy, DragonEgg appears to rely on additional payloads to\r\nimplement the full scale of its surveillance functionality.\r\nAt launch, the malware acquires — either from C2 infrastructure or a bundled file within the\r\nAPK — a payload often named “smallmload.jar” which attempts to acquire and launch\r\nadditional functionality. Like WyrmSpy, the DragonEgg samples request extensive\r\npermissions for services that are not directly exploited in the core app.\r\nWe suspect that by trojanizing legitimate chat apps like Telegram, APT41 is trying to remain\r\ninconspicuous while requesting access to extensive device data. Messaging apps typically\r\nrequest access to sensitive device data, and by hiding its surveillance functionality within a\r\nlarge, fully-functional app, the threat actor is better able to remain inconspicuous while the app\r\nis running on the device or statically analyzed by a researcher.\r\nInformation\r\n\u003chttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\u003e\r\n\u003chttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/apk.dragonegg\u003e\r\nLast change to this tool card: 13 October 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool DragonEgg\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b92e627c-2e0f-4d95-90f1-798028d00ba1\r\nPage 1 of 2\n\nAPT groups\r\n  APT 41 2012-Jul 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b92e627c-2e0f-4d95-90f1-798028d00ba1\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b92e627c-2e0f-4d95-90f1-798028d00ba1\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b92e627c-2e0f-4d95-90f1-798028d00ba1" ], "report_names": [ "listgroups.cgi?u=b92e627c-2e0f-4d95-90f1-798028d00ba1" ], "threat_actors": [ { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439118, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/099c21c6e5b30d063d2db8fc141710e92ba73c00.pdf", "text": "https://archive.orkl.eu/099c21c6e5b30d063d2db8fc141710e92ba73c00.txt", "img": "https://archive.orkl.eu/099c21c6e5b30d063d2db8fc141710e92ba73c00.jpg" } }