{ "id": "cb79f54a-a25a-4146-a51a-12f654f6a65a", "created_at": "2026-04-06T00:16:32.540707Z", "updated_at": "2026-04-10T03:32:35.36889Z", "deleted_at": null, "sha1_hash": "62f7630e9918e0de80bd5ccc3b49663d9893a03b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53473, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:33:15 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MobileOrder\n Tool: MobileOrder\nNames MobileOrder\nCategory Malware\nType Backdoor, Info stealer, Exfiltration, Downloader\nDescription\n(Palo Alto) The malware uses the AMAP SDK to get accurate location of infected\ndevices by GPS, mobile network (such as base stations), WiFi and other information.\nMobileOrder acts on instructions provided by its C2 server, which it communicates with\nover TCP port 3728. All C2 communications are encrypted with the AES algorithm\nusing a key generated by computing five MD5 hashes starting with the key\n“1qazxcvbnm”, and adding a salt value of “.)1/” in each iteration.\nThe C2 server will respond to requests from MobileOrder with commands that the\nTrojan refers to as “orders”. MobileOrder contains a command handler with\nfunctionality that provides a fairly robust set of commands, as seen in Table 6. The first\nbyte of data provided by the C2 server is order number, which is followed by the\nencrypted data that needed to carry out the specific order.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 22 June 2023\nDownload this tool card in JSON format\nAll groups using tool MobileOrder\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e1aa1dd5-eaa8-4bb6-91be-ba0d350827bc\nPage 1 of 2\n\nAPT groups\r\n  Scarlet Mimic 2015-Aug 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e1aa1dd5-eaa8-4bb6-91be-ba0d350827bc\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e1aa1dd5-eaa8-4bb6-91be-ba0d350827bc\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e1aa1dd5-eaa8-4bb6-91be-ba0d350827bc" ], "report_names": [ "listgroups.cgi?u=e1aa1dd5-eaa8-4bb6-91be-ba0d350827bc" ], "threat_actors": [ { "id": "8c5c318c-0e71-4184-92bb-d1c28f68a411", "created_at": "2022-10-25T15:50:23.692481Z", "updated_at": "2026-04-10T02:00:05.409574Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Scarlet Mimic" ], "source_name": "MITRE:Scarlet Mimic", "tools": [ "Psylo", "MobileOrder", "CallMe", "FakeM" ], "source_id": "MITRE", "reports": null }, { "id": "cac03bbf-0c42-470d-951e-0e92656be6cb", "created_at": "2023-01-06T13:46:38.463275Z", "updated_at": "2026-04-10T02:00:02.985402Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Golfing Taurus", "G0029" ], "source_name": "MISPGALAXY:Scarlet Mimic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fc2aed1-c838-41e9-b469-922e7bab6f94", "created_at": "2022-10-25T16:07:24.162936Z", "updated_at": "2026-04-10T02:00:04.886029Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "G0029", "Golfing Taurus" ], "source_name": "ETDA:Scarlet Mimic", "tools": [ "BrutishCommand", "CallMe", "CrypticConvo", "Elirks", "FakeFish", "FakeHighFive", "FakeM", "FakeM RAT", "FullThrottle", "HTran", "HUC Packet Transmit Tool", "MobileOrder", "Psylo", "RaidBase", "SkiBoot", "SubtractThis", "Terminator RAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434592, "ts_updated_at": 1775791955, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/62f7630e9918e0de80bd5ccc3b49663d9893a03b.pdf", "text": "https://archive.orkl.eu/62f7630e9918e0de80bd5ccc3b49663d9893a03b.txt", "img": "https://archive.orkl.eu/62f7630e9918e0de80bd5ccc3b49663d9893a03b.jpg" } }