{
	"id": "55f8c961-83da-4540-8b69-d9fc864d8811",
	"created_at": "2026-04-06T00:08:20.245858Z",
	"updated_at": "2026-04-10T03:26:47.914371Z",
	"deleted_at": null,
	"sha1_hash": "3a6c795dd9867d959c7c8ff878fea9edc59d2ef8",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49813,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:49:10 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool AndoServer\r\n Tool: AndoServer\r\nNames AndoServer\r\nCategory Malware\r\nType Backdoor, Reconnaissance, Info stealer, Exfiltration\r\nDescription (Lookout) Some AndoServer samples are purely surveillanceware that do not even pretend to\r\nbe anything else, while others, like this sample here, contain legitimate applications inside the\r\nmalware, with the benign APK hidden in the res/raw folder.\r\nAndoServer samples receive commands, and are capable of:\r\n• Taking a screenshot\r\n• Getting battery levels and if the device is plugged in\r\n• Reporting location (latitude and longitude)\r\n• Getting a list of installed applications\r\n• Launching an application specified by the malicious actor\r\n• Checking the number of cameras on a device\r\n• Choosing a specific camera to access\r\n• Creating a specific pop-up message (toast)\r\n• Recording audio\r\n• Creating a file on external storage\r\n• Exfiltrating call logs\r\n• Listing files contained in a specified directory\r\n• Calling a phone number\r\n• Exfiltrating SMS messages\r\n• Sending SMS to a phone number\r\n• Exfiltrating the contact list\r\n• Playing a ringtone and then sleeping\r\nAndoServer malware has its C2 domain or IP address hard coded into the source code. Each\r\nsample also has its own unique identifier string at the start of its communication with C2\r\nservers, that appears to be for the actor to monitor which application in their arsenal is\r\nresponsible for the compromise, as they can see the unique application installed by the specific\r\nvictim. While not always the case, some unique identifiers are similar to the name of the C2\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=07eb732e-d8d4-45a1-8727-f5ef8f8f3ef6\r\nPage 1 of 2\n\ndomain, while other times they refer to the title of the application, highlighting another level of\r\ncustomization of this malware.\r\nInformation \u003chttps://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool AndoServer\r\nChanged Name Country Observed\r\nAPT groups\r\n  Syrian Electronic Army (SEA), Deadeye Jackal 2011-Aug 2021\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=07eb732e-d8d4-45a1-8727-f5ef8f8f3ef6\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=07eb732e-d8d4-45a1-8727-f5ef8f8f3ef6\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=07eb732e-d8d4-45a1-8727-f5ef8f8f3ef6"
	],
	"report_names": [
		"listgroups.cgi?u=07eb732e-d8d4-45a1-8727-f5ef8f8f3ef6"
	],
	"threat_actors": [
		{
			"id": "2f498e6b-3f0e-4f26-8cc7-52121e675643",
			"created_at": "2023-01-06T13:46:38.447274Z",
			"updated_at": "2026-04-10T02:00:02.978901Z",
			"deleted_at": null,
			"main_name": "Deadeye Jackal",
			"aliases": [
				"SyrianElectronicArmy"
			],
			"source_name": "MISPGALAXY:Deadeye Jackal",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "76fc6d92-0710-4640-bfa7-3000fe3940a5",
			"created_at": "2022-10-25T16:07:24.251595Z",
			"updated_at": "2026-04-10T02:00:04.911951Z",
			"deleted_at": null,
			"main_name": "Syrian Electronic Army (SEA)",
			"aliases": [
				"ATK 196",
				"Deadeye Jackal",
				"Syria Malware Team",
				"Syrian Electronic Army",
				"TAG-CT2"
			],
			"source_name": "ETDA:Syrian Electronic Army (SEA)",
			"tools": [
				"AndoServer",
				"CypherRat",
				"SLRat",
				"SandroRAT",
				"SilverHawk",
				"SpyNote",
				"SpyNote RAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434100,
	"ts_updated_at": 1775791607,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a6c795dd9867d959c7c8ff878fea9edc59d2ef8.pdf",
		"text": "https://archive.orkl.eu/3a6c795dd9867d959c7c8ff878fea9edc59d2ef8.txt",
		"img": "https://archive.orkl.eu/3a6c795dd9867d959c7c8ff878fea9edc59d2ef8.jpg"
	}
}