{
	"id": "a998d606-e10d-4241-b07a-f50ed41b94ec",
	"created_at": "2026-04-06T00:09:37.6416Z",
	"updated_at": "2026-04-10T03:21:54.040068Z",
	"deleted_at": null,
	"sha1_hash": "57d187990f74b540ef7e5d7ddffacd24558604db",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53079,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:31:29 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SharkBot\n Tool: SharkBot\nNames SharkBot\nCategory Malware\nType Banking trojan, Info stealer, Credential stealer\nDescription\n(Cleafy) At the end of October 2021, a new Android banking trojan appeared on Cleafy's\ntelemetries. Since the lack of information and the absence of a proper nomenclature of\nthis malware family, we decided to dub it SharkBot to better track this family inside our\ninternal Threat Intelligence taxonomy.\nSharkBot belongs to a “new” generation of mobile malware, as it is able to perform ATS\nattacks inside the infected device. This technique has been already seen recently from\nother banking trojans, such as Gustuff. ATS (Automatic Transfer System) is an advanced\nattack technique (fairly new on Android) which enables attackers to auto-fill fields in\nlegitimate mobile banking apps and initiate money transfers from the compromised\ndevices. Contrary to TeaBot and Oscorp/UBEL where a live operator is required to\ninsert and authorize a money transfer, with ATS technique Threat Actors can scale up\ntheir operations with minimum user intervention. We assume that SharkBot is trying to\nbypass behavioural detection countermeasures (e.g.,biometrics) put in place by multiple\nbanks and financial services with the abuse of Android Accessibility Services, also\nbypassing the need of a “new device enrollment”.\nInformation\nMITRE ATT\u0026CK Malpedia https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fba647ac-53a5-4801-828c-6f6cc549bc09\nPage 1 of 2\n\nLast change to this tool card: 22 June 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool SharkBot\r\nChanged Name Country Observed\r\nUnknown groups\r\n  _[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fba647ac-53a5-4801-828c-6f6cc549bc09\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fba647ac-53a5-4801-828c-6f6cc549bc09\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fba647ac-53a5-4801-828c-6f6cc549bc09"
	],
	"report_names": [
		"listgroups.cgi?u=fba647ac-53a5-4801-828c-6f6cc549bc09"
	],
	"threat_actors": [],
	"ts_created_at": 1775434177,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/57d187990f74b540ef7e5d7ddffacd24558604db.pdf",
		"text": "https://archive.orkl.eu/57d187990f74b540ef7e5d7ddffacd24558604db.txt",
		"img": "https://archive.orkl.eu/57d187990f74b540ef7e5d7ddffacd24558604db.jpg"
	}
}