{ "id": "8e07078f-4942-46e8-b789-fbd62703b849", "created_at": "2026-04-06T00:11:18.458204Z", "updated_at": "2026-04-10T03:26:47.893646Z", "deleted_at": null, "sha1_hash": "49e82bf48503a93d92c75e98d878fbbb753ddb67", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50468, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:05:28 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SandroRAT\n Tool: SandroRAT\nNames SandroRAT\nCategory Malware\nType Backdoor, Info stealer, Exfiltration\nDescription\n(McAfee) Just as any other Android RAT (such as AndroRAT), the malware can remotely\nexecute several commands to perform any of the following actions:\n• Steal sensitive personal information such as contact list, SMS messages (inbox, outbox,\nand sent), call logs (incoming, outgoing, and missed calls), browser history (title, link,\ndate), bookmarks and GPS location (latitude and longitude).\n• Intercept incoming calls and record those in a WAV file on the SD card to later leak the\nfile.\n• Update itself (or install additional malware) by downloading and prompting the user to\ninstall the file update.apk.\n• Intercept, block, and steal incoming SMS messages.\n• Send MMS messages with parameters (phone number and text) provided by the control\nserver.\n• Insert and delete SMS messages and contacts.\n• Record surrounding sound and store it in an adaptive multi-rate file on the SD card to\nlater send to a remote server.\n• Open the dialer with a number provided by the attacker or execute USSD codes.\n• Display Toast (pop-up) messages on the infected device.\nA novel functionality of this threat is its ability to access the encrypted Whatsapp chats\n(available in the path /WhatsApp/Databases/msgstore.db.crypt5 on the SD card) and\nobtain the unique encryption key using the Google email account of the device to get the\nchats in plain text and store them in the file waddb.sr\nInformation\nAlienVault OTX https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=08636d6f-1a0d-46ee-bc95-1586b9995db3\nPage 1 of 2\n\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool SandroRAT\r\nChanged Name Country Observed\r\nAPT groups\r\n  Syrian Electronic Army (SEA), Deadeye Jackal 2011-Aug 2021\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=08636d6f-1a0d-46ee-bc95-1586b9995db3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=08636d6f-1a0d-46ee-bc95-1586b9995db3\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=08636d6f-1a0d-46ee-bc95-1586b9995db3" ], "report_names": [ "listgroups.cgi?u=08636d6f-1a0d-46ee-bc95-1586b9995db3" ], "threat_actors": [ { "id": "2f498e6b-3f0e-4f26-8cc7-52121e675643", "created_at": "2023-01-06T13:46:38.447274Z", "updated_at": "2026-04-10T02:00:02.978901Z", "deleted_at": null, "main_name": "Deadeye Jackal", "aliases": [ "SyrianElectronicArmy" ], "source_name": "MISPGALAXY:Deadeye Jackal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "76fc6d92-0710-4640-bfa7-3000fe3940a5", "created_at": "2022-10-25T16:07:24.251595Z", "updated_at": "2026-04-10T02:00:04.911951Z", "deleted_at": null, "main_name": "Syrian Electronic Army (SEA)", "aliases": [ "ATK 196", "Deadeye Jackal", "Syria Malware Team", "Syrian Electronic Army", "TAG-CT2" ], "source_name": "ETDA:Syrian Electronic Army (SEA)", "tools": [ "AndoServer", "CypherRat", "SLRat", "SandroRAT", "SilverHawk", "SpyNote", "SpyNote RAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434278, "ts_updated_at": 1775791607, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/49e82bf48503a93d92c75e98d878fbbb753ddb67.pdf", "text": "https://archive.orkl.eu/49e82bf48503a93d92c75e98d878fbbb753ddb67.txt", "img": "https://archive.orkl.eu/49e82bf48503a93d92c75e98d878fbbb753ddb67.jpg" } }