{ "id": "7302dfd3-e0cb-4540-8706-85169c2e7970", "created_at": "2026-04-06T00:18:34.887651Z", "updated_at": "2026-04-10T03:32:04.962005Z", "deleted_at": null, "sha1_hash": "34a3d644fd3eece803f9cd5d8ff1f0bd3ebe8dc7", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47338, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:09:26 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool AridSpy\n Tool: AridSpy\nNames AridSpy\nCategory Malware\nType Backdoor\nDescription\n(ESET) ESET Research discovered three-stage Android malware, which we named AridSpy,\nbeing distributed via five dedicated websites. AridSpy’s code is in some cases bundled into\napplications that provide legitimate functionality. While the first stage of AridSpy has been\ndocumented previously, here we also provide a full analysis of its previously unknown later\nstages. AridSpy is a remotely controlled trojan that focuses on user data espionage. We\ndetected six occurrences of AridSpy, in Palestine and Egypt. We attribute AridSpy with\nmedium confidence to the Arid Viper APT group.\nInformation\nLast change to this tool card: 19 June 2024\nDownload this tool card in JSON format\nAll groups using tool AridSpy\nChanged Name Country Observed\nAPT groups\n Desert Falcons [Gaza] 2011-Oct 2023\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=45b4cf25-3d0c-4a30-982a-00daa6fc4c3d\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=45b4cf25-3d0c-4a30-982a-00daa6fc4c3d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=45b4cf25-3d0c-4a30-982a-00daa6fc4c3d\r\nPage 2 of 2\n\nAPT groups Desert Falcons [Gaza] 2011-Oct 2023\n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=45b4cf25-3d0c-4a30-982a-00daa6fc4c3d" ], "report_names": [ "listgroups.cgi?u=45b4cf25-3d0c-4a30-982a-00daa6fc4c3d" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434714, "ts_updated_at": 1775791924, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/34a3d644fd3eece803f9cd5d8ff1f0bd3ebe8dc7.pdf", "text": "https://archive.orkl.eu/34a3d644fd3eece803f9cd5d8ff1f0bd3ebe8dc7.txt", "img": "https://archive.orkl.eu/34a3d644fd3eece803f9cd5d8ff1f0bd3ebe8dc7.jpg" } }