{
	"id": "2de92602-b688-4695-9a7a-86740e9c6929",
	"created_at": "2026-04-06T00:06:58.963559Z",
	"updated_at": "2026-04-10T03:32:56.617798Z",
	"deleted_at": null,
	"sha1_hash": "4b506d90e606d4fbfd944b0e3b8b328cfaa5fb7c",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46412,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:38:24 UTC\n APT group: Packrat\nNames Packrat (Citizen Lab)\nCountry [Latin America]\nMotivation Information theft and espionage\nFirst seen 2008\nDescription\n(Citizen Lab) This report describes an extensive malware, phishing, and disinformation\ncampaign active in several Latin American countries, including Ecuador, Argentina,\nVenezuela, and Brazil. The nature and geographic spread of the targets seems to point to a\nsponsor, or sponsors, with regional, political interests. The attackers, whom we have named\nPackrat, have shown a keen and systematic interest in the political opposition and the\nindependent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and\ntheir recently allied regimes. These countries are linked by a trade agreement as well as a\ncooperation on a range of non-financial matters.\nAfter observing a wave of attacks in Ecuador in 2015, we linked these attacks to a campaign\nactive in Argentina in 2014. The targeting in Argentina was discovered when the attackers\nattempted to compromise the devices of Alberto Nisman and Jorge Lanata. Building on what\nwe had learned about these two campaigns, we then traced the group’s activities back as far as\n2008.\nThis report brings together many of the pieces of this campaign, from malware and phishing,\nto command and control infrastructure spread across Latin America. It also highlights fake\nonline organizations that Packrat has created in Venezuela and Ecuador. Who is responsible?\nWe assess several scenarios, and consider the most likely to be that Packrat is sponsored by a\nstate actor or actors, given their apparent lack of concern about discovery, their targets, and\ntheir persistence. However, we do not conclusively attribute Packrat to a particular sponsor.\nObserved\nSectors: Government, Media and high profile political figures, journalists, and others.\nCountries: Argentina, Brazil, Ecuador, Venezuela.\nTools used Adwind, Adzok, CyberGate RAT, XtremeRAT.\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3d252950-6264-40dc-b9e7-2214eab11dc6\nPage 1 of 2\n\nLast change to this card: 24 April 2021\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3d252950-6264-40dc-b9e7-2214eab11dc6\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3d252950-6264-40dc-b9e7-2214eab11dc6\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3d252950-6264-40dc-b9e7-2214eab11dc6"
	],
	"report_names": [
		"showcard.cgi?u=3d252950-6264-40dc-b9e7-2214eab11dc6"
	],
	"threat_actors": [
		{
			"id": "d001e298-8608-4ee6-96c7-e5afb62d718d",
			"created_at": "2022-10-25T16:07:24.035765Z",
			"updated_at": "2026-04-10T02:00:04.847015Z",
			"deleted_at": null,
			"main_name": "Packrat",
			"aliases": [],
			"source_name": "ETDA:Packrat",
			"tools": [
				"Adwind",
				"Adwind RAT",
				"Adzok",
				"Alien Spy",
				"AlienSpy",
				"CyberGate",
				"CyberGate RAT",
				"ExtRat",
				"Frutas",
				"Invisible Remote Administrator",
				"JBifrost RAT",
				"JSocket",
				"Rebhip",
				"Sockrat",
				"Trojan.Maljava",
				"UnReCoM",
				"Unknown RAT",
				"Unrecom",
				"Xtreme RAT",
				"XtremeRAT",
				"jBiFrost",
				"jConnectPro RAT",
				"jFrutas"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "02a7064e-447b-433e-ac14-6f10d476f517",
			"created_at": "2023-01-06T13:46:38.520097Z",
			"updated_at": "2026-04-10T02:00:03.010392Z",
			"deleted_at": null,
			"main_name": "Packrat",
			"aliases": [],
			"source_name": "MISPGALAXY:Packrat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434018,
	"ts_updated_at": 1775791976,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b506d90e606d4fbfd944b0e3b8b328cfaa5fb7c.pdf",
		"text": "https://archive.orkl.eu/4b506d90e606d4fbfd944b0e3b8b328cfaa5fb7c.txt",
		"img": "https://archive.orkl.eu/4b506d90e606d4fbfd944b0e3b8b328cfaa5fb7c.jpg"
	}
}