{ "id": "46e06afe-db51-4c1a-bb23-251a7b45f4cd", "created_at": "2026-04-06T00:14:09.79875Z", "updated_at": "2026-04-10T03:29:18.758071Z", "deleted_at": null, "sha1_hash": "586e2902eaacb86faf421e04ffd9369f6cdb2bb6", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58064, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:21:57 UTC\n APT group: Polonium\nNames\nPolonium (Microsft)\nPlaid Rain (Microsoft)\nIncendiary Jackal (CrowdStrike)\nG1005 (MITRE)\nCountry Lebanon\nMotivation Information theft and espionage\nFirst seen 2022\nDescription\n(Microsoft) MSTIC assesses with high confidence that POLONIUM represents an\noperational group based in Lebanon. We also assess with moderate confidence that\nthe observed activity was coordinated with other actors affiliated with Iran’s\nMinistry of Intelligence and Security (MOIS), based primarily on victim overlap and\ncommonality of tools and techniques. Such collaboration or direction from Tehran\nwould align with a string of revelations since late 2020 that the Government of Iran\nis using third parties to carry out cyber operations on their behalf, likely to enhance\nIran’s plausible deniability.\nPOLONIUM has targeted or compromised more than 20 organizations based in\nIsrael and one intergovernmental organization with operations in Lebanon over the\npast three months. This actor has deployed unique tools that abuse legitimate cloud\nservices for command and control (C2) across most of their victims. POLONIUM\nwas observed creating and using legitimate OneDrive accounts, then utilizing those\naccounts as C2 to execute part of their attack operation.\nObserved\nSectors: Engineering, Defense, IT, Manufacturing, Media, Telecommunications.\nCountries: Israel, Lebanon.\nTools used\nCreepyDrive, CreepySnail, DeepCreep, FlipCreep, MegaCreep, PapaCreep,\nTechnoCreep.\nOperations performed Sep 2022 POLONIUM targets Israel with Creepy malware\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=40d95f4c-db45-4311-86a0-328273bf0491\nPage 1 of 2\n\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=40d95f4c-db45-4311-86a0-328273bf0491\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=40d95f4c-db45-4311-86a0-328273bf0491\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=40d95f4c-db45-4311-86a0-328273bf0491" ], "report_names": [ "showcard.cgi?u=40d95f4c-db45-4311-86a0-328273bf0491" ], "threat_actors": [ { "id": "d866a181-c427-43df-9948-a8010a8fdad6", "created_at": "2022-10-27T08:27:13.080609Z", "updated_at": "2026-04-10T02:00:05.303153Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "POLONIUM", "Plaid Rain" ], "source_name": "MITRE:POLONIUM", "tools": [ "CreepyDrive", "CreepySnail" ], "source_id": "MITRE", "reports": null }, { "id": "6cfeba14-c84e-4606-88b9-c7a7689c450f", "created_at": "2022-10-25T16:07:24.06766Z", "updated_at": "2026-04-10T02:00:04.857565Z", "deleted_at": null, "main_name": "Polonium", "aliases": [ "G1005", "Incendiary Jackal", "Plaid Rain" ], "source_name": "ETDA:Polonium", "tools": [ "CreepyDrive", "CreepySnail", "DeepCreep", "FlipCreep", "MegaCreep", "PapaCreep", "TechnoCreep" ], "source_id": "ETDA", "reports": null }, { "id": "b7823339-891d-4ded-b01d-1f142a88bc64", "created_at": "2023-01-06T13:46:39.381591Z", "updated_at": "2026-04-10T02:00:03.308737Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "GREATRIFT", "INCENDIARY JACKAL", "Plaid Rain", "UNC4453" ], "source_name": "MISPGALAXY:POLONIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434449, "ts_updated_at": 1775791758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/586e2902eaacb86faf421e04ffd9369f6cdb2bb6.pdf", "text": "https://archive.orkl.eu/586e2902eaacb86faf421e04ffd9369f6cdb2bb6.txt", "img": "https://archive.orkl.eu/586e2902eaacb86faf421e04ffd9369f6cdb2bb6.jpg" } }