{ "id": "a54ba528-1bde-45c7-9900-0adff3bd9682", "created_at": "2026-04-06T00:12:30.507885Z", "updated_at": "2026-04-10T13:11:22.265286Z", "deleted_at": null, "sha1_hash": "29983738d54eb398b1385e307643744ab8b7ddd2", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52251, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:56:19 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ActionSpy\n Tool: ActionSpy\nNames\nActionSpy\nAxeSpy\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\nDescription\n(Trend Micro) This malware impersonates a legitimate Uyghur video app called Ekran.\nThe malicious app has the same appearance and features as the original app. It is able to\nachieve this with VirtualApp. In addition, it’s also protected by Bangcle to evade static\nanalysis and detection.\nEvery 30 seconds, ActionSpy will collect basic device information like IMEI, phone\nnumber, manufacturer, battery status, etc., which it sends to the C\u0026C server as a heartbeat\nrequest. The server may return some commands that will be performed on the\ncompromised device. All the communication traffic between C\u0026C and ActionSpy is\nencrypted by RSA and transferred via HTTP.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 28 December 2022\nDownload this tool card in JSON format\nAll groups using tool ActionSpy\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1efe8d0-5fcc-4443-b2aa-cfe89f0ff366\nPage 1 of 2\n\nPoison Carp, Evil Eye 2018-Jun 2023\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1efe8d0-5fcc-4443-b2aa-cfe89f0ff366\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1efe8d0-5fcc-4443-b2aa-cfe89f0ff366\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1efe8d0-5fcc-4443-b2aa-cfe89f0ff366" ], "report_names": [ "listgroups.cgi?u=f1efe8d0-5fcc-4443-b2aa-cfe89f0ff366" ], "threat_actors": [ { "id": "f0ebaf6d-5e1a-4ed7-aa2c-0e69a648acea", "created_at": "2022-10-25T16:07:23.597455Z", "updated_at": "2026-04-10T02:00:04.683154Z", "deleted_at": null, "main_name": "Evil Eye", "aliases": [], "source_name": "ETDA:Evil Eye", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe", "created_at": "2023-01-06T13:46:39.056888Z", "updated_at": "2026-04-10T02:00:03.198866Z", "deleted_at": null, "main_name": "POISON CARP", "aliases": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ], "source_name": "MISPGALAXY:POISON CARP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574", "created_at": "2022-10-25T16:07:24.064197Z", "updated_at": "2026-04-10T02:00:04.856578Z", "deleted_at": null, "main_name": "Poison Carp", "aliases": [ "Earth Empusa", "Evil Eye", "EvilBamboo", "Poison Carp", "Red Dev 16", "Sentinel Taurus" ], "source_name": "ETDA:Poison Carp", "tools": [ "ActionSpy", "AxeSpy", "BADSIGNAL", "BADSOLAR", "BadBazaar", "IRONSQUIRREL", "IceCube", "MOONSHINE", "PoisonCarp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434350, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29983738d54eb398b1385e307643744ab8b7ddd2.pdf", "text": "https://archive.orkl.eu/29983738d54eb398b1385e307643744ab8b7ddd2.txt", "img": "https://archive.orkl.eu/29983738d54eb398b1385e307643744ab8b7ddd2.jpg" } }