{ "id": "8cb8871d-08c0-43ed-a025-3627945b0836", "created_at": "2026-04-06T00:06:55.924514Z", "updated_at": "2026-04-10T13:12:01.799728Z", "deleted_at": null, "sha1_hash": "54a5ed5ca219e6c89f69e3ff1a15db109836ad66", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53575, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:48:57 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CarbonSteal\n Tool: CarbonSteal\nNames CarbonSteal\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\nDescription\n(Lookout) CarbonSteal is Android surveillanceware that has been tracked by Lookout\nsince 2017, and more than 500 samples have been seen to date. While not as\nsophisticated as HenBox, certain samples of CarbonSteal do make use of a combination\nof native libraries and DEX classes, while others do not and are much simpler.\nHallmarks of CarbonSteal include extensive audio recording functionality in a variety of\ncodecs and audio formats, as well as the capability in later samples to control an infected\ndevice through specially crafted SMS messages. Attackers can also perform audio\nsurveillance through the malware’s ability to silently answer a call from a specific phone\nnumber and allow the attacker to listen in to sounds around an infected device. Based on\nthis functionality, we suspect that CarbonSteal might be deployed in areas with\ninsufficient or no mobile data coverage.\nSamples of CarbonSteal and HenBox also use the same non-compromised signing\ncertificates in many cases, suggesting the actor behind their deployment is the same.\nFurthermore, overlapping validity dates of these certificates may indicate that the\nsamples were produced around the same time frame. This evidence led Lookout\nresearchers to the theory that these tools were primarily used in an ongoing malware\ncampaign (at the time) and against similar targets, with titles and languages once again\nsuggesting a Uyghur focused interest.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b0732e1a-4e75-4e04-9115-2e8c7fbd19c9\nPage 1 of 2\n\nLast change to this tool card: 30 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool CarbonSteal\r\nChanged Name Country Observed\r\nAPT groups\r\n  Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon 2010-Oct 2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b0732e1a-4e75-4e04-9115-2e8c7fbd19c9\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b0732e1a-4e75-4e04-9115-2e8c7fbd19c9\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b0732e1a-4e75-4e04-9115-2e8c7fbd19c9" ], "report_names": [ "listgroups.cgi?u=b0732e1a-4e75-4e04-9115-2e8c7fbd19c9" ], "threat_actors": [ { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "926dcfeb-19dd-4786-b601-3c0c4c477b43", "created_at": "2023-01-06T13:46:38.787762Z", "updated_at": "2026-04-10T02:00:03.10053Z", "deleted_at": null, "main_name": "HenBox", "aliases": [], "source_name": "MISPGALAXY:HenBox", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434015, "ts_updated_at": 1775826721, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/54a5ed5ca219e6c89f69e3ff1a15db109836ad66.pdf", "text": "https://archive.orkl.eu/54a5ed5ca219e6c89f69e3ff1a15db109836ad66.txt", "img": "https://archive.orkl.eu/54a5ed5ca219e6c89f69e3ff1a15db109836ad66.jpg" } }