{ "id": "5c6e57f6-6661-495f-b593-a24d1faf8832", "created_at": "2026-04-06T00:10:41.821544Z", "updated_at": "2026-04-10T13:12:23.592667Z", "deleted_at": null, "sha1_hash": "1edd37e61996d6246cfa632a31845d330cee592c", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54268, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:41:56 UTC\r\n APT group: Sima\r\nNames Sima (Amnesty International)\r\nCountry Iran\r\nMotivation Information theft and espionage\r\nFirst seen 2016\r\nDescription\r\nIn February 2016, Iranfocused individuals received messages purporting to be from Human\r\nRightsWatch’s (HRW) Emergencies Director, requesting that they read an article about Iran\r\npressing Afghan refugees to fight in Syria. While referencing a real report published by HRW,\r\nthe links provided for the Director’s biography and article directed the recipient to malware\r\nhosted elsewhere. These spear-phishing attempts represent an evolution of Iranian actors based\r\non their social engineering tactics and narrow targeting. Although the messages still had minor\r\ngrammatical and stylistic errors that would be obvious to a native speaker, the actors\r\ndemonstrated stronger Englishlanguage proficiency than past intrusion sets and a deeper\r\ninvestment in background research prior to the attempt. The actors appropriated a real identity\r\nthat would be expected to professionally interact with the subject, then offered validation\r\nthrough links to their biography and social media, the former of which itself was malware as\r\nwell. The bait documents contained a real article relevant to their interests and topic\r\nreferenced, and the message attempted to address to how it aligned with their professional\r\nresearch or field of employment. The referenced documents sent were malware binaries posing\r\nas legitimate files using the common righttoleft filenames tactic in order to conceal the actual\r\nfile extension. All of these techniques, while common pretexting mechanisms, are a refinement\r\ncompared to a tendency amongst other groups to simply continually send different forms of\r\ngeneric malware or phishing, in the hopes that one would eventually be successful.\r\nObserved Countries: This group targets Iranians in diaspora.\r\nTools used Luminosity RAT, Sima.\r\nInformation\r\n\u003chttps://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf\u003e\r\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41fbd131-75d0-4d44-a286-c78eb9e42d7c\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=41fbd131-75d0-4d44-a286-c78eb9e42d7c\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41fbd131-75d0-4d44-a286-c78eb9e42d7c\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=41fbd131-75d0-4d44-a286-c78eb9e42d7c" ], "report_names": [ "showcard.cgi?u=41fbd131-75d0-4d44-a286-c78eb9e42d7c" ], "threat_actors": [ { "id": "257efa81-fa09-4318-ac8f-7e32b54b88bb", "created_at": "2022-10-25T16:07:24.195026Z", "updated_at": "2026-04-10T02:00:04.896357Z", "deleted_at": null, "main_name": "Sima", "aliases": [], "source_name": "ETDA:Sima", "tools": [ "Luminosity RAT", "LuminosityLink", "Sima" ], "source_id": "ETDA", "reports": null }, { "id": "eeb03ad7-d11f-4600-a587-b7c86aa38e5f", "created_at": "2023-01-06T13:46:38.564888Z", "updated_at": "2026-04-10T02:00:03.025514Z", "deleted_at": null, "main_name": "Sima", "aliases": [], "source_name": "MISPGALAXY:Sima", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434241, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1edd37e61996d6246cfa632a31845d330cee592c.pdf", "text": "https://archive.orkl.eu/1edd37e61996d6246cfa632a31845d330cee592c.txt", "img": "https://archive.orkl.eu/1edd37e61996d6246cfa632a31845d330cee592c.jpg" } }