{ "id": "15bed1f1-606d-4785-843a-e9f811d136c5", "created_at": "2026-04-06T00:06:29.369602Z", "updated_at": "2026-04-10T03:26:39.243141Z", "deleted_at": null, "sha1_hash": "183dab31d88ee9efd3ecea1c14d44b073cd091ef", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48840, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 10:52:39 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool FrozenCell\n Tool: FrozenCell\nNames FrozenCell\nCategory Malware\nType Backdoor, Info stealer, Exfiltration\nDescription\n(Lookout) FrozenCell masquerades as fake updates to chat applications like Facebook,\nWhatsApp, Messenger, LINE, and LoveChat. We also detected it in apps targeted\ntoward specific Middle Eastern demographics. For example, the actors behind\nFrozenCell used a spoofed app called Tawjihi 2016, which Jordanian or Palestinian\nstudents would ordinarily use during their general secondary examination.\nOnce installed on a device FrozenCell is capable of:\n• Recording calls\n• Retrieving generic phone metadata (e.g., cell location, mobile country code, mobile\nnetwork code)\n• Geolocating a device\n• Extracting SMS messages\n• Retrieving a victim's accounts\n• Exfiltrating images\n• Downloading and installing additional applications\n• Searching for and exfiltrating pdf, doc, docx, ppt, pptx, xls, and xlsx file types\n• Retrieving contacts\nInformation MITRE ATT\u0026CK AlienVault OTX Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool FrozenCell\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=55a7b2c6-82a3-4d18-82ce-082a5c8da2c2\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Desert Falcons [Gaza] 2011-Oct 2023\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=55a7b2c6-82a3-4d18-82ce-082a5c8da2c2\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=55a7b2c6-82a3-4d18-82ce-082a5c8da2c2\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=55a7b2c6-82a3-4d18-82ce-082a5c8da2c2" ], "report_names": [ "listgroups.cgi?u=55a7b2c6-82a3-4d18-82ce-082a5c8da2c2" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433989, "ts_updated_at": 1775791599, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/183dab31d88ee9efd3ecea1c14d44b073cd091ef.pdf", "text": "https://archive.orkl.eu/183dab31d88ee9efd3ecea1c14d44b073cd091ef.txt", "img": "https://archive.orkl.eu/183dab31d88ee9efd3ecea1c14d44b073cd091ef.jpg" } }