{ "id": "ef4f2b27-3bb0-4e74-8ebf-00652ed5d901", "created_at": "2026-04-06T00:10:11.959338Z", "updated_at": "2026-04-10T03:27:46.351243Z", "deleted_at": null, "sha1_hash": "0ae9facc5806a4f22e47720925739d90a35999e5", "title": "Operation ViceLeaker - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45388, "plain_text": "Operation ViceLeaker - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 13:25:31 UTC\nHome \u003e List all groups \u003e Operation ViceLeaker\n APT group: Operation ViceLeaker\nNames Operation ViceLeaker (Kaspersky)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2018\nDescription\n(Kaspersky) In May 2018, we discovered a campaign targeting dozens of mobile Android\ndevices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack\nfrom the device of one of the victims; and a hash of the APK involved (Android application)\nwas tagged in our sample feed for inspection. Once we looked into the file, we quickly found\nout that the inner-workings of the APK included a malicious payload, embedded in the original\ncode of the application. This was an original spyware program, designed to exfiltrate almost\nall accessible information.\nDuring the course of our research, we noticed that we were not the only ones to have found the\noperation. Researchers from Bitdefender also released an analysis of one of the samples in a\nblogpost. Although something had already been published, we decided to do something\ndifferent with the data we acquired. The following month, we released a private report on our\nThreat Intelligence Portal to alert our clients about this newly discovered operation and began\nwriting YARA rules in order to catch more samples. We decided to call the operation\n“ViceLeaker”, because of strings and variables in its code.\nObserved\nSectors: Citizens.\nCountries: Israel.\nTools used ViceLeaker.\nInformation Last change to this card: 22 April 2020\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a8650f5d-af10-453f-9b9f-dd474270ede3\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a8650f5d-af10-453f-9b9f-dd474270ede3\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a8650f5d-af10-453f-9b9f-dd474270ede3\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a8650f5d-af10-453f-9b9f-dd474270ede3" ], "report_names": [ "showcard.cgi?u=a8650f5d-af10-453f-9b9f-dd474270ede3" ], "threat_actors": [ { "id": "e0b6d3fa-157c-45bf-b9e3-3aa9f9aa7de7", "created_at": "2022-10-25T16:07:24.024256Z", "updated_at": "2026-04-10T02:00:04.844251Z", "deleted_at": null, "main_name": "Operation ViceLeaker", "aliases": [], "source_name": "ETDA:Operation ViceLeaker", "tools": [ "Triout", "ViceLeaker" ], "source_id": "ETDA", "reports": null }, { "id": "b960c826-adff-49e8-97aa-017ceab56776", "created_at": "2023-01-06T13:46:39.036244Z", "updated_at": "2026-04-10T02:00:03.191243Z", "deleted_at": null, "main_name": "ViceLeaker", "aliases": [], "source_name": "MISPGALAXY:ViceLeaker", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434211, "ts_updated_at": 1775791666, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ae9facc5806a4f22e47720925739d90a35999e5.pdf", "text": "https://archive.orkl.eu/0ae9facc5806a4f22e47720925739d90a35999e5.txt", "img": "https://archive.orkl.eu/0ae9facc5806a4f22e47720925739d90a35999e5.jpg" } }