{ "id": "088c0fbc-d008-419b-af52-9cea64419c33", "created_at": "2026-04-06T00:09:09.527735Z", "updated_at": "2026-04-10T13:12:04.191199Z", "deleted_at": null, "sha1_hash": "4a8312906c88490a4b8ea7ebf1eaae3f7a64c50e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51770, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:40:07 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MOONSHINE\n Tool: MOONSHINE\nNames MOONSHINE\nCategory Malware\nType Backdoor, Info stealer\nDescription\n(Citizen Lab) MOONSHINE is designed for stealthy rootless operation, by exploiting popular\nlegitimate Android apps with built-in browsers that request sensitive permissions.\nMOONSHINE obtains persistence by overwriting an infrequently used shared library (.so) file\nin one of these apps with itself. When a targeted user opens the legitimate app after\nexploitation, the app loads the shared library into memory, which causes the spyware to\nactivate. While code in subsequent stages of MOONSHINE suggests that it can be deployed\nagainst four apps (Facebook, Facebook Messenger, WeChat, and QQ), the exploit site we\ntested against did not deliver any exploits for WeChat or QQ User-Agent headers.\nInformation\nLast change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool MOONSHINE\nChanged Name Country Observed\nAPT groups\n Earth Minotaur 2019\n Poison Carp, Evil Eye 2018-Jun 2023\n2 groups listed (2 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2ea4f916-78e7-4c96-b24d-72a28372ea2c\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2ea4f916-78e7-4c96-b24d-72a28372ea2c\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2ea4f916-78e7-4c96-b24d-72a28372ea2c\r\nPage 2 of 2\n\n Earth Poison Minotaur Carp, Evil Eye 2019 2018-Jun 2023 \n2 groups listed (2 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2ea4f916-78e7-4c96-b24d-72a28372ea2c" ], "report_names": [ "listgroups.cgi?u=2ea4f916-78e7-4c96-b24d-72a28372ea2c" ], "threat_actors": [ { "id": "f0ebaf6d-5e1a-4ed7-aa2c-0e69a648acea", "created_at": "2022-10-25T16:07:23.597455Z", "updated_at": "2026-04-10T02:00:04.683154Z", "deleted_at": null, "main_name": "Evil Eye", "aliases": [], "source_name": "ETDA:Evil Eye", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe", "created_at": "2023-01-06T13:46:39.056888Z", "updated_at": "2026-04-10T02:00:03.198866Z", "deleted_at": null, "main_name": "POISON CARP", "aliases": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ], "source_name": "MISPGALAXY:POISON CARP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dc813ffb-16bd-46f7-9d8f-8e93089f00c1", "created_at": "2024-12-28T02:01:54.748213Z", "updated_at": "2026-04-10T02:00:04.669444Z", "deleted_at": null, "main_name": "Earth Minotaur", "aliases": [], "source_name": "ETDA:Earth Minotaur", "tools": [ "DarkNimbus", "MOONSHINE" ], "source_id": "ETDA", "reports": null }, { "id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574", "created_at": "2022-10-25T16:07:24.064197Z", "updated_at": "2026-04-10T02:00:04.856578Z", "deleted_at": null, "main_name": "Poison Carp", "aliases": [ "Earth Empusa", "Evil Eye", "EvilBamboo", "Poison Carp", "Red Dev 16", "Sentinel Taurus" ], "source_name": "ETDA:Poison Carp", "tools": [ "ActionSpy", "AxeSpy", "BADSIGNAL", "BADSOLAR", "BadBazaar", "IRONSQUIRREL", "IceCube", "MOONSHINE", "PoisonCarp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434149, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a8312906c88490a4b8ea7ebf1eaae3f7a64c50e.pdf", "text": "https://archive.orkl.eu/4a8312906c88490a4b8ea7ebf1eaae3f7a64c50e.txt", "img": "https://archive.orkl.eu/4a8312906c88490a4b8ea7ebf1eaae3f7a64c50e.jpg" } }