{ "id": "1dbd23a7-d019-476b-9b96-005bdce910e1", "created_at": "2026-04-06T00:08:43.751389Z", "updated_at": "2026-04-10T03:32:22.177927Z", "deleted_at": null, "sha1_hash": "2370b58fa95746d9a7a8356cdba0693b05230bca", "title": "VINETHORN (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38116, "plain_text": "VINETHORN (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:27:02 UTC\r\napk.vinethorn (Back to overview)\r\nVINETHORN\r\nAccording to Mandiant, VINETHORN is an Android malware family capable of a wide range of backdoor\r\nfunctionality. It can steal system information, read SMS inboxes, send SMS messages, access contact lists and call\r\nhistories, record audio and video, and track device location via GPS.\r\nReferences\r\n2022-12-12 ⋅ SOCRadar ⋅ SOCRadar\r\nDark Web Profile: APT42 – Iranian Cyber Espionage Group\r\nPINEFLOWER VINETHORN VBREVSHELL BROKEYOLK CHAIRSMACK DOSTEALER GHAMBAR\r\nSILENTUPLOADER TAG-56\r\n2022-09-07 ⋅ Mandiant ⋅ Mandiant Intelligence\r\nAPT42: Crooked Charms, Cons and Compromises\r\nPINEFLOWER VINETHORN VBREVSHELL BROKEYOLK DOSTEALER GHAMBAR\r\nSILENTUPLOADER\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.vinethorn\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.vinethorn\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.vinethorn" ], "report_names": [ "apk.vinethorn" ], "threat_actors": [ { "id": "1d2ac189-a99e-4e16-84c0-e06df96e688c", "created_at": "2023-11-14T02:00:07.086528Z", "updated_at": "2026-04-10T02:00:03.446956Z", "deleted_at": null, "main_name": "TAG-56", "aliases": [], "source_name": "MISPGALAXY:TAG-56", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434123, "ts_updated_at": 1775791942, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2370b58fa95746d9a7a8356cdba0693b05230bca.pdf", "text": "https://archive.orkl.eu/2370b58fa95746d9a7a8356cdba0693b05230bca.txt", "img": "https://archive.orkl.eu/2370b58fa95746d9a7a8356cdba0693b05230bca.jpg" } }