{
	"id": "356347e3-9d8d-486b-86cf-71388f02d38a",
	"created_at": "2026-04-06T01:31:53.315234Z",
	"updated_at": "2026-04-10T03:30:01.746728Z",
	"deleted_at": null,
	"sha1_hash": "36cc15c41ec7bbeac0b1eca6d4c54b5e01d3d15b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66886,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:30:45 UTC\r\n APT group: TeamSpy Crew\r\nNames\r\nTeamSpy Crew (Kaspersky)\r\nSIG39 (NSA)\r\nIron Lyric (SecureWorks)\r\nTeam Bear (CrowdStrike)\r\nAnger Bear (CrowdStrike)\r\nCountry Russia\r\nMotivation Information theft and espionage\r\nFirst seen 2010\r\nDescription\r\n(Kaspersky) Researchers have uncovered a long-term cyber-espionage campaign\r\nthat used a combination of legitimate software packages and commodity malware\r\ntools to target a variety of heavy industry, government intelligence agencies and\r\npolitical activists. Known as the TeamSpy crew because of its affinity for using the\r\nlegitimate TeamViewer application as part of its toolset, the attackers may have been\r\nactive for as long as 10 years, researchers say.\r\nThe attack appears to be a years-long espionage campaign, but experts who have\r\nanalyzed the victim profile, malware components and command-and-control\r\ninfrastructure say that it’s not entirely clear what kind of data the attackers are going\r\nafter. What is clear, though, is that the attackers have been at this for a long time and\r\nthat they have specific people in mind as targets.\r\nResearchers at the CrySyS Lab in Hungary were alerted by the Hungarian National\r\nSecurity Authority to an attack against a high-profile target in the country and began\r\nlooking into the campaign. They quickly discovered that some of the infrastructure\r\nbeing used in the attack had been in use for some time and that the target they were\r\ninvestigating was by no means the only one.\r\nObserved Sectors: Education, Government, Industrial and Electronics and high-profile targets.\r\nCountries: Algeria, Australia, Bangladesh, Belgium, Benin, Bhutan, Brazil,\r\nCameroon, Canada, Central-African Republic, Chad, China, Congo, Costa Rica,\r\nCote d'Ivoire, Croatia, Djibouti, Egypt, France, Gabon, Georgia, Germany, Hungary,\r\nIndia, Indonesia, Iran, Italy, Japan, Kazakhstan, Kenya, Madagascar, Mali,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3a019998-686b-4a43-81fe-043e79da0948\r\nPage 1 of 2\n\nMauritania, Mongolia, Morocco, Nepal, Netherlands, Norway, Peru, Philippines,\nPortugal, Romania, Russia, Saudi Arabia, Senegal, Slovakia, South Africa, Spain,\nSudan, Sweden, Switzerland, Tanzania, Thailand, Tunisia, Turkey, UK, Ukraine,\nUSA, Vietnam.\nTools used TeamSpy, TeamViewer and JAVA RATs.\nOperations performed Feb 2017\nA new spam campaign emerged over the weekend, carrying the\nTeamSpy data-stealing malware, which can give cybercriminals full\naccess to a compromised computer.\nInformation\nLast change to this card: 01 January 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3a019998-686b-4a43-81fe-043e79da0948\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3a019998-686b-4a43-81fe-043e79da0948\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3a019998-686b-4a43-81fe-043e79da0948"
	],
	"report_names": [
		"showcard.cgi?u=3a019998-686b-4a43-81fe-043e79da0948"
	],
	"threat_actors": [
		{
			"id": "1d8dd2ca-5592-482e-b89d-6a7e1a49f4f6",
			"created_at": "2023-01-06T13:46:38.408359Z",
			"updated_at": "2026-04-10T02:00:02.962242Z",
			"deleted_at": null,
			"main_name": "TeamSpy Crew",
			"aliases": [
				"TeamSpy",
				"Team Bear",
				"Anger Bear",
				"IRON LYRIC"
			],
			"source_name": "MISPGALAXY:TeamSpy Crew",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4a2aaa17-e108-4a3f-8b0f-8c6bcba3db49",
			"created_at": "2022-10-25T16:07:24.30783Z",
			"updated_at": "2026-04-10T02:00:04.930235Z",
			"deleted_at": null,
			"main_name": "TeamSpy Crew",
			"aliases": [
				"Anger Bear",
				"Iron Lyric",
				"SIG39",
				"Team Bear"
			],
			"source_name": "ETDA:TeamSpy Crew",
			"tools": [
				"SpY-Agent",
				"TVRAT",
				"TVSpy",
				"TeamSpy",
				"TeamViewer",
				"TeamViewerENT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439113,
	"ts_updated_at": 1775791801,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/36cc15c41ec7bbeac0b1eca6d4c54b5e01d3d15b.pdf",
		"text": "https://archive.orkl.eu/36cc15c41ec7bbeac0b1eca6d4c54b5e01d3d15b.txt",
		"img": "https://archive.orkl.eu/36cc15c41ec7bbeac0b1eca6d4c54b5e01d3d15b.jpg"
	}
}