{
	"id": "b3d1489e-1d9d-401b-8492-26d61ca68b1d",
	"created_at": "2026-04-06T00:11:00.096026Z",
	"updated_at": "2026-04-10T13:12:00.058105Z",
	"deleted_at": null,
	"sha1_hash": "4dd297921262127f4fe92afe88bfd03405e316a7",
	"title": "Retefe (Android) - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52562,
	"plain_text": "Retefe (Android) - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 16:13:15 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Retefe (Android)\r\n Tool: Retefe (Android)\r\nNames Retefe (Android)\r\nCategory Malware\r\nType Banking trojan, Backdoor, Info stealer, Credential stealer, Botnet\r\nDescription\r\n(GovCERT.ch) Recently, some anti-virus companies and newspapers reported that Retefe\r\nis distributing the Signal App (a secure messenger). Rumours say that the threat actor may\r\nuse the Signal App as a communication channel with the victim. This is not the case. As a\r\nmatter of fact, the Signal App is just decoy that the Retefe Gang serves to IP addresses\r\nwho are not geo located in Switzerland and whose user agent does not correspond to an\r\nAndroid device. If the accessing IP address uses an Android user agent and is\r\ngeographically located in Switzerland, the APK server will serve an Android trojan that\r\nthe Retefe gang use to commit e-banking fraud.\r\nThe trojan is an SMS stealer which allows the threat actor to steal text messages sent by\r\nthe bank to the customer for two factor authentication (2FA) and transaction signing (so\r\ncalled mobile TAN or mTAN). To have the victim install the android trojan, the Retefe\r\ngang uses social engineering to convince the victim to either enter his mobile phone\r\nnumber where he then receives an SMS from the threat actor with a link to the Android\r\nAPK, or to scan a QR code displayed by the threat actor in the fake e-banking portal,\r\nwhich also leads to the Android APK. But the Android trojan is more than just an SMS\r\nstealer. It is also able to send text messages to other victim’s and uses a sophisticated anti\r\nVM detection technique. Unlike Retefe itself, which doesn’t have any botnet C\u0026C\r\nchannel, the SMS stealer has such one. It uses two hard coded botnet C\u0026Cs which are\r\nusually hosted on compromised websites.\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=07d8d046-a4f0-434c-b7a4-d971f660b0d4\r\nPage 1 of 2\n\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 24 May 2020\nDownload this tool card in JSON format\nAll groups using tool Retefe (Android)\nChanged Name Country Observed\nOther groups\n Retefe Gang, Operation Emmental 2013\n1 group listed (0 APT, 1 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=07d8d046-a4f0-434c-b7a4-d971f660b0d4\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=07d8d046-a4f0-434c-b7a4-d971f660b0d4\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=07d8d046-a4f0-434c-b7a4-d971f660b0d4"
	],
	"report_names": [
		"listgroups.cgi?u=07d8d046-a4f0-434c-b7a4-d971f660b0d4"
	],
	"threat_actors": [
		{
			"id": "c6722d56-e5e7-4c5c-a5be-b7e01d4281b0",
			"created_at": "2022-10-25T16:07:24.542981Z",
			"updated_at": "2026-04-10T02:00:05.028606Z",
			"deleted_at": null,
			"main_name": "Retefe Gang",
			"aliases": [
				"Operation Emmental",
				"Retefe Gang"
			],
			"source_name": "ETDA:Retefe Gang",
			"tools": [
				"Dok",
				"Illi",
				"Retefe",
				"Retefe (Android)",
				"Tina",
				"Tinba",
				"Tiny Banker",
				"TinyBanker",
				"Tsukuba",
				"Werdlod",
				"Zusy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a8fba3fa-62bf-4fdb-92bb-29aa6375b92d",
			"created_at": "2024-02-08T02:00:04.329621Z",
			"updated_at": "2026-04-10T02:00:03.585503Z",
			"deleted_at": null,
			"main_name": "Operation Emmental",
			"aliases": [
				"Retefe Gang",
				"Retefe Group"
			],
			"source_name": "MISPGALAXY:Operation Emmental",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434260,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4dd297921262127f4fe92afe88bfd03405e316a7.pdf",
		"text": "https://archive.orkl.eu/4dd297921262127f4fe92afe88bfd03405e316a7.txt",
		"img": "https://archive.orkl.eu/4dd297921262127f4fe92afe88bfd03405e316a7.jpg"
	}
}