{
	"id": "8ac4157d-b344-40c9-b46d-624a8c4e66bc",
	"created_at": "2026-04-06T00:16:34.627289Z",
	"updated_at": "2026-04-10T13:11:36.005097Z",
	"deleted_at": null,
	"sha1_hash": "34467f60fe2c20c7400d8eb8366f13c57f80886b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53033,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:55:06 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool callCam\n Tool: callCam\nNames callCam\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\nDescription\n(Trend Micro) The apps Camero and FileCrypt Manger act as droppers. After downloading the\nextra DEX file from the C\u0026C server, the second-layer droppers invoke extra code to\ndownload, install, and launch the callCam app on the device.\nThe app callCam hides its icon on the device after being launched. It collects the following\ninformation and sends it back to the C\u0026C server in the background:\n• Location\n• Battery status\n• Files on device\n• Installed app list\n• Device information\n• Sensor information\n• Camera information\n• Screenshot\n• Account\n• Wifi information\n• Data of WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome\nThe app encrypts all stolen data using RSA and AES encryption algorithms. It uses SHA256 to\nverify data integrity and customize the encoding routine. When encrypting, it creates a block\nof data we named headData. This block contains the first 9 bytes of origin data, origin data\nlength, random AES IV, the RSA-encrypted AES encrypt key, and the SHA256 value of AES-encrypted origin data. Then the headData is encoded through the customized routine. After the\nencoding, it is stored in the head of the final encrypted file followed by the data of the AES-encrypted original data.\nInformation\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c5e4e318-c0f6-4b6e-b74b-935daae939ee\nPage 1 of 2\n\nLast change to this tool card: 29 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool callCam\r\nChanged Name Country Observed\r\nAPT groups\r\n  SideWinder, Rattlesnake 2012-2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c5e4e318-c0f6-4b6e-b74b-935daae939ee\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c5e4e318-c0f6-4b6e-b74b-935daae939ee\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c5e4e318-c0f6-4b6e-b74b-935daae939ee"
	],
	"report_names": [
		"listgroups.cgi?u=c5e4e318-c0f6-4b6e-b74b-935daae939ee"
	],
	"threat_actors": [
		{
			"id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e",
			"created_at": "2023-01-06T13:46:39.080551Z",
			"updated_at": "2026-04-10T02:00:03.206572Z",
			"deleted_at": null,
			"main_name": "RAZOR TIGER",
			"aliases": [
				"APT-C-17",
				"T-APT-04",
				"SideWinder"
			],
			"source_name": "MISPGALAXY:RAZOR TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6b9fc913-06c6-4432-8c58-86a3ac614564",
			"created_at": "2022-10-25T16:07:24.185236Z",
			"updated_at": "2026-04-10T02:00:04.893541Z",
			"deleted_at": null,
			"main_name": "SideWinder",
			"aliases": [
				"APT-C-17",
				"APT-Q-39",
				"BabyElephant",
				"G0121",
				"GroupA21",
				"HN2",
				"Hardcore Nationalist",
				"Rattlesnake",
				"Razor Tiger",
				"SideWinder",
				"T-APT-04"
			],
			"source_name": "ETDA:SideWinder",
			"tools": [
				"BroStealer",
				"Capriccio RAT",
				"callCam"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "173f1641-36e3-4bce-9834-c5372468b4f7",
			"created_at": "2022-10-25T15:50:23.349637Z",
			"updated_at": "2026-04-10T02:00:05.3486Z",
			"deleted_at": null,
			"main_name": "Sidewinder",
			"aliases": [
				"Sidewinder",
				"T-APT-04"
			],
			"source_name": "MITRE:Sidewinder",
			"tools": [
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434594,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/34467f60fe2c20c7400d8eb8366f13c57f80886b.pdf",
		"text": "https://archive.orkl.eu/34467f60fe2c20c7400d8eb8366f13c57f80886b.txt",
		"img": "https://archive.orkl.eu/34467f60fe2c20c7400d8eb8366f13c57f80886b.jpg"
	}
}