{ "id": "025e67eb-e801-4a91-b290-91cbde1e3424", "created_at": "2026-04-06T00:06:49.417339Z", "updated_at": "2026-04-10T03:33:11.687831Z", "deleted_at": null, "sha1_hash": "0dfb70f3d45bee4b25d3fb3697cef06ca0804757", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47877, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:51:00 UTC\n APT group: Sowbug\nNames\nSowbug (Symantec)\nG0054 (MITRE)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2015\nDescription\n(Symantec) Symantec has identified a previously unknown group called Sowbug that\nhas been conducting highly targeted cyberattacks against organizations in South\nAmerica and Southeast Asia and appears to be heavily focused on foreign policy\ninstitutions and diplomatic targets. Sowbug has been seen mounting classic espionage\nattacks by stealing documents from the organizations it infiltrates.\nSymantec saw the first evidence of Sowbug-related activity with the discovery in March\n2017 of an entirely new piece of malware called Felismus used against a target in\nSoutheast Asia. We have subsequently identified further victims on both sides of the\nPacific Ocean. While the Felismus tool was first identified in March of this year, its\nassociation with Sowbug was unknown until now. Symantec has also been able to\nconnect earlier attack campaigns with Sowbug, demonstrating that it has been active\nsince at least early-2015 and may have been operating even earlier.\nTo date, Sowbug appears to be focused mainly on government entities in South America\nand Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru,\nBrunei and Malaysia. The group is well resourced, capable of infiltrating multiple\ntargets simultaneously and will often operate outside the working hours of targeted\norganizations in order to maintain a low profile.\nObserved\nSectors: Government.\nCountries: Argentina, Brazil, Brunei, Ecuador, Malaysia, Peru.\nTools used Felismus, StarLoader.\nInformation\nMITRE ATT\u0026CK https://apt.etda.or.th/cgi-bin/showcard.cgi?u=76db0506-25f4-4b80-90aa-032d0a8345fe\nPage 1 of 2\n\nLast change to this card: 16 August 2025\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=76db0506-25f4-4b80-90aa-032d0a8345fe\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=76db0506-25f4-4b80-90aa-032d0a8345fe\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=76db0506-25f4-4b80-90aa-032d0a8345fe" ], "report_names": [ "showcard.cgi?u=76db0506-25f4-4b80-90aa-032d0a8345fe" ], "threat_actors": [ { "id": "5cd42f56-d307-4d28-ad4f-4ff6b7d850be", "created_at": "2022-10-25T15:50:23.714424Z", "updated_at": "2026-04-10T02:00:05.372061Z", "deleted_at": null, "main_name": "Sowbug", "aliases": [ "Sowbug" ], "source_name": "MITRE:Sowbug", "tools": [ "Starloader", "Felismus" ], "source_id": "MITRE", "reports": null }, { "id": "f5eae92e-f9b5-44a2-b47b-b7087a4de831", "created_at": "2022-10-25T16:07:24.215895Z", "updated_at": "2026-04-10T02:00:04.901014Z", "deleted_at": null, "main_name": "Sowbug", "aliases": [ "G0054" ], "source_name": "ETDA:Sowbug", "tools": [ "Felismus", "StarLoader" ], "source_id": "ETDA", "reports": null }, { "id": "75a05738-8fc5-41d0-add3-354b12ecbb8a", "created_at": "2023-01-06T13:46:38.726914Z", "updated_at": "2026-04-10T02:00:03.080547Z", "deleted_at": null, "main_name": "Sowbug", "aliases": [ "G0054" ], "source_name": "MISPGALAXY:Sowbug", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434009, "ts_updated_at": 1775791991, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0dfb70f3d45bee4b25d3fb3697cef06ca0804757.pdf", "text": "https://archive.orkl.eu/0dfb70f3d45bee4b25d3fb3697cef06ca0804757.txt", "img": "https://archive.orkl.eu/0dfb70f3d45bee4b25d3fb3697cef06ca0804757.jpg" } }