{ "id": "5d530482-50c8-49fd-be5a-12ea840fbb52", "created_at": "2026-04-06T00:21:30.757232Z", "updated_at": "2026-04-10T03:34:25.909728Z", "deleted_at": null, "sha1_hash": "23fa47f87c54d0eb5cf14988ea80e46d7abb6627", "title": "Libyan Scorpions - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46493, "plain_text": "Libyan Scorpions - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 14:18:09 UTC\r\nHome \u003e List all groups \u003e Libyan Scorpions\r\n APT group: Libyan Scorpions\r\nNames Libyan Scorpions (Cyberkov)\r\nCountry Libya\r\nMotivation Information theft and espionage\r\nFirst seen 2015\r\nDescription\r\n(Cyberkov) In the past weeks on 6 August 2016, Cyberkov Security Incident Response Team\r\n(CSIRT) received a numerous Android malwares operating in different areas in Libya\r\nespecially in Tripoli and Benghazi.\r\nThe malware spreads very fast using Telegram messenger application in smartphones,\r\ntargeting high-profile Libyan influential and political figures.\r\nThe malware first discovery was after a highly Libyan influential Telegram account\r\ncompromised via webTelegram using IP address from Spain.\r\nAnalysis of this incident led us to believe that this operation and the group behind it which we\r\ncall Libyan Scorpions is a malware operation in use since September 2015 and operated by a\r\npolitically motivated group whose main objective is intelligence gathering, spying on\r\ninfluentials and political figures and operate an espionage campaign within Libya.\r\nAlso, the analysis of the incident led to the discovery of multiple malwares targeting Android\r\nand Windows machines.\r\nLibyan Scorpions threat actors used a set of methods to hide and operate their malwares. They\r\nappear not to have highly technical skills but a good social engineering and phishing tricks.\r\nThe threat actors are not particularly sophisticated, but it is well-understood that such attacks\r\ndon’t need to be sophisticated in order to be effective.\r\nObserved\r\nSectors: Influencers and political figures.\r\nCountries: Libya.\r\nTools used Voice Massege.apk, Benghazi.exe.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8eeb8aa6-2d2b-4476-8b5d-21633fe03ec1\r\nPage 1 of 2\n\nInformation \u003chttps://cyberkov.com/wp-content/uploads/2016/09/Hunting-Libyan-Scorpions-EN.pdf\u003e\r\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8eeb8aa6-2d2b-4476-8b5d-21633fe03ec1\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8eeb8aa6-2d2b-4476-8b5d-21633fe03ec1\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8eeb8aa6-2d2b-4476-8b5d-21633fe03ec1" ], "report_names": [ "showcard.cgi?u=8eeb8aa6-2d2b-4476-8b5d-21633fe03ec1" ], "threat_actors": [ { "id": "491e2ee0-c63e-4728-96b4-d06391d52736", "created_at": "2023-01-06T13:46:38.489158Z", "updated_at": "2026-04-10T02:00:02.995219Z", "deleted_at": null, "main_name": "Libyan Scorpions", "aliases": [], "source_name": "MISPGALAXY:Libyan Scorpions", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a829ffdf-fc14-4535-9fd0-86420b37c5c9", "created_at": "2022-10-25T16:07:23.79119Z", "updated_at": "2026-04-10T02:00:04.750873Z", "deleted_at": null, "main_name": "Libyan Scorpions", "aliases": [], "source_name": "ETDA:Libyan Scorpions", "tools": [ "Benghazi.exe", "Voice Massege.apk" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434890, "ts_updated_at": 1775792065, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23fa47f87c54d0eb5cf14988ea80e46d7abb6627.pdf", "text": "https://archive.orkl.eu/23fa47f87c54d0eb5cf14988ea80e46d7abb6627.txt", "img": "https://archive.orkl.eu/23fa47f87c54d0eb5cf14988ea80e46d7abb6627.jpg" } }