{
	"id": "80469bf4-b3eb-4884-b823-fabb2035c260",
	"created_at": "2026-04-06T00:07:56.133842Z",
	"updated_at": "2026-04-10T03:28:34.735023Z",
	"deleted_at": null,
	"sha1_hash": "2c673bedbb59c4bf4e0933ef53b27d5aec81aaea",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45034,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:51:28 UTC\n APT group: SandCat\nNames SandCat (Kaspersky)\nCountry Uzbekistan\nSponsor State-sponsored, Military Unit 02616\nMotivation Information theft and espionage\nFirst seen 2018\nDescription\n(Kaspersky) SandCat is a relatively new APT group; we first observed them in 2018, although\nit would appear they have been around for some time,” Costin Raiu, director of global research\nand analysis team at Kaspersky Lab, told Threatpost. “They use both FinFisher/FinSpy\n[spyware] and the CHAINSHOT framework in attacks, coupled with various zero-days.\nTargets of SandCat have been mostly observed in Middle East, including but not limited to\nSaudi Arabia.\nObserved Countries: Saudi Arabia and Middle East.\nTools used FinFisher, CHAINSHOT and several 0-days.\nInformation\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ff99d24e-706d-4f15-99f3-a30c0be47cbe\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ff99d24e-706d-4f15-99f3-a30c0be47cbe\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ff99d24e-706d-4f15-99f3-a30c0be47cbe"
	],
	"report_names": [
		"showcard.cgi?u=ff99d24e-706d-4f15-99f3-a30c0be47cbe"
	],
	"threat_actors": [
		{
			"id": "80cf66b8-27d2-4e87-b0d1-5bacacd9bb3d",
			"created_at": "2023-01-06T13:46:38.931567Z",
			"updated_at": "2026-04-10T02:00:03.149736Z",
			"deleted_at": null,
			"main_name": "SandCat",
			"aliases": [],
			"source_name": "MISPGALAXY:SandCat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "67ac502c-8cf8-46cb-98e8-c249e0f0298d",
			"created_at": "2022-10-25T16:07:24.149987Z",
			"updated_at": "2026-04-10T02:00:04.882099Z",
			"deleted_at": null,
			"main_name": "SandCat",
			"aliases": [],
			"source_name": "ETDA:SandCat",
			"tools": [
				"CHAINSHOT",
				"FinFisher",
				"FinFisher RAT",
				"FinSpy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434076,
	"ts_updated_at": 1775791714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2c673bedbb59c4bf4e0933ef53b27d5aec81aaea.pdf",
		"text": "https://archive.orkl.eu/2c673bedbb59c4bf4e0933ef53b27d5aec81aaea.txt",
		"img": "https://archive.orkl.eu/2c673bedbb59c4bf4e0933ef53b27d5aec81aaea.jpg"
	}
}