{ "id": "11acfeb0-06b8-4641-a09c-3926df1b2f9d", "created_at": "2026-04-06T00:10:34.229614Z", "updated_at": "2026-04-10T13:13:07.599559Z", "deleted_at": null, "sha1_hash": "11d5127b674e99f490b5e026a5552a6688d62321", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58633, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:40:48 UTC\n Other threat group: Dark Basin\nNames\nDark Basin (Citizen Lab)\nMercenary.Amanda (NortonLifeLock)\nCountry India\nSponsor BellTroX InfoTech Services\nMotivation Information theft and espionage\nFirst seen 2013\nDescription\n(Citizen Lab) We give the name Dark Basin to a hack-for-hire organization that has\ntargeted thousands of individuals and organizations on six continents, including senior\npoliticians, government prosecutors, CEOs, journalists, and human rights defenders. With\nhigh confidence, we link Dark Basin to BellTroX InfoTech Services (“BellTroX”), an\nIndia-based technology company.\nOver the course of our multi-year investigation, we found that Dark Basin likely\nconducted commercial espionage on behalf of their clients against opponents involved in\nhigh profile public events, criminal cases, financial transactions, news stories, and\nadvocacy. This report highlights several clusters of targets. In future reports, we will\nprovide more details about specific clusters of targets and Dark Basin’s activities.\nObserved\nSectors: Financial, Government, Manufacturing, Media, NGOs, Non-profit organizations\nand journalists, law and consulting firms.\nCountries: Austria, Belgium, Brazil, Canada, Cyprus, Czech, France, Germany, Iceland,\nIndia, Israel, Italy, Kenya, Mexico, Nigeria, Norway, Russia, South Korea, Sweden,\nSwitzerland, UK, Ukraine, USA.\nTools used\nInformation\nAlienVault OTX Last change to this card: 27 August 2020\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=03011e9d-5ddb-4d43-82a1-bf89a51b5709\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=03011e9d-5ddb-4d43-82a1-bf89a51b5709\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=03011e9d-5ddb-4d43-82a1-bf89a51b5709\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=03011e9d-5ddb-4d43-82a1-bf89a51b5709" ], "report_names": [ "showcard.cgi?u=03011e9d-5ddb-4d43-82a1-bf89a51b5709" ], "threat_actors": [ { "id": "1a933813-3deb-4d6f-8e0f-33b9187970f9", "created_at": "2023-01-06T13:46:39.147547Z", "updated_at": "2026-04-10T02:00:03.230111Z", "deleted_at": null, "main_name": "Dark Basin", "aliases": [], "source_name": "MISPGALAXY:Dark Basin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "60b64223-652b-4177-a678-3d675b79cff4", "created_at": "2022-10-25T16:07:24.478235Z", "updated_at": "2026-04-10T02:00:05.004167Z", "deleted_at": null, "main_name": "Dark Basin", "aliases": [ "Mercenary.Amanda" ], "source_name": "ETDA:Dark Basin", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434234, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/11d5127b674e99f490b5e026a5552a6688d62321.pdf", "text": "https://archive.orkl.eu/11d5127b674e99f490b5e026a5552a6688d62321.txt", "img": "https://archive.orkl.eu/11d5127b674e99f490b5e026a5552a6688d62321.jpg" } }