{
	"id": "c21265cb-0d19-47ef-8ad0-32e76d411067",
	"created_at": "2026-04-06T00:17:26.771687Z",
	"updated_at": "2026-04-10T03:32:04.9505Z",
	"deleted_at": null,
	"sha1_hash": "2cee7cf621b5c9688651d874049ab852045bc8b9",
	"title": "Barb(ie) Downloader - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45999,
	"plain_text": "Barb(ie) Downloader - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 17:01:47 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Barb(ie) Downloader\r\n Tool: Barb(ie) Downloader\r\nNames Barb(ie) Downloader\r\nCategory Malware\r\nType Downloader\r\nDescription\r\n(Cybereason) Barb(ie) is a downloader component used by APT-C-23 to install the BarbWire\r\nbackdoor. As mentioned above, in the infection phase the downloader is delivered alongside a\r\nvideo in a .rar file. The video is meant to distract the victim from the infection process that is\r\nhappening in the background.\r\nInformation\r\n\u003chttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.barbie\u003e\r\nLast change to this tool card: 27 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool Barb(ie) Downloader\r\nChanged Name Country Observed\r\nAPT groups\r\n  Desert Falcons [Gaza] 2011-Oct 2023\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e92bd30-3e78-43a3-9cb3-74f987bc3ef0\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e92bd30-3e78-43a3-9cb3-74f987bc3ef0\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e92bd30-3e78-43a3-9cb3-74f987bc3ef0"
	],
	"report_names": [
		"listgroups.cgi?u=2e92bd30-3e78-43a3-9cb3-74f987bc3ef0"
	],
	"threat_actors": [
		{
			"id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d",
			"created_at": "2022-10-25T16:07:23.539852Z",
			"updated_at": "2026-04-10T02:00:04.647734Z",
			"deleted_at": null,
			"main_name": "Desert Falcons",
			"aliases": [
				"APT-C-23",
				"ATK 66",
				"Arid Viper",
				"Niobium",
				"Operation Arid Viper",
				"Operation Bearded Barbie",
				"Operation Rebound",
				"Pinstripe Lightning",
				"Renegade Jackal",
				"TAG-63",
				"TAG-CT1",
				"Two-tailed Scorpion"
			],
			"source_name": "ETDA:Desert Falcons",
			"tools": [
				"AridSpy",
				"Barb(ie) Downloader",
				"BarbWire",
				"Desert Scorpion",
				"FrozenCell",
				"GlanceLove",
				"GnatSpy",
				"KasperAgent",
				"Micropsia",
				"PyMICROPSIA",
				"SpyC23",
				"Viper RAT",
				"ViperRAT",
				"VolatileVenom",
				"WinkChat",
				"android.micropsia"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b1979c55-037a-415f-b0a3-cab7933f5cd4",
			"created_at": "2024-04-24T02:00:49.561432Z",
			"updated_at": "2026-04-10T02:00:05.416794Z",
			"deleted_at": null,
			"main_name": "APT-C-23",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"TAG-63",
				"Grey Karkadann",
				"Big Bang APT",
				"Two-tailed Scorpion"
			],
			"source_name": "MITRE:APT-C-23",
			"tools": [
				"Micropsia"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "929d794b-0e1d-4d10-93a6-29408a527cc2",
			"created_at": "2023-01-06T13:46:38.70844Z",
			"updated_at": "2026-04-10T02:00:03.075002Z",
			"deleted_at": null,
			"main_name": "AridViper",
			"aliases": [
				"Desert Falcon",
				"Arid Viper",
				"APT-C-23",
				"Bearded Barbie",
				"Two-tailed Scorpion"
			],
			"source_name": "MISPGALAXY:AridViper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b",
			"created_at": "2025-08-07T02:03:24.53077Z",
			"updated_at": "2026-04-10T02:00:03.680525Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SARATOGA",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"Extreme Jackal ",
				"Gaza Cybergang",
				"Molerats ",
				"Operation DustySky ",
				"TA402"
			],
			"source_name": "Secureworks:ALUMINUM SARATOGA",
			"tools": [
				"BlackShades",
				"BrittleBush",
				"DarkComet",
				"LastConn",
				"Micropsia",
				"NimbleMamba",
				"PoisonIvy",
				"QuasarRAT",
				"XtremeRat"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "35b3e533-7483-4f07-894e-2bb3ac855207",
			"created_at": "2025-08-07T02:03:24.540035Z",
			"updated_at": "2026-04-10T02:00:03.69627Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SHADYSIDE",
			"aliases": [
				"APT-C-23 ",
				"Arid Viper ",
				"Desert Falcon "
			],
			"source_name": "Secureworks:ALUMINUM SHADYSIDE",
			"tools": [
				"Micropsia",
				"SpyC23"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434646,
	"ts_updated_at": 1775791924,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2cee7cf621b5c9688651d874049ab852045bc8b9.pdf",
		"text": "https://archive.orkl.eu/2cee7cf621b5c9688651d874049ab852045bc8b9.txt",
		"img": "https://archive.orkl.eu/2cee7cf621b5c9688651d874049ab852045bc8b9.jpg"
	}
}