{ "id": "73203f5a-5c5e-41d7-ba98-38a6c0612c03", "created_at": "2026-04-06T00:17:48.108913Z", "updated_at": "2026-04-10T03:30:13.349573Z", "deleted_at": null, "sha1_hash": "66ad6d55d560c65cd641f318a15627570daec3cb", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51320, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:59:01 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DarkNimbus\r\n Tool: DarkNimbus\r\nNames DarkNimbus\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer\r\nDescription\r\n(Trend Micro) The main backdoor implanted in XWalk is a comprehensive Android\r\nsurveillance tool. We managed to find an independent version of the backdoor and discovered\r\nthat it has been developed and actively updated since 2018. In some versions, we noticed that\r\nthe backdoor uses the string “DKNS” in their functions. Since then, we named the backdoor as\r\nDarkNimbus.\r\nDarkNimbus uses the XMPP protocol to communicate with a C\u0026C server. The XMPP\r\ncommunication handlers of the backdoor are implemented with the open-source project\r\n“Smack”. In addition, it communicates to another server via HTTPS; this server is used mainly\r\nfor file transfers.\r\nThe features supported by DarkNimbus include collecting basic information of the infected\r\ndevice, installed apps, and geolocation (GPS). The backdoor steals personal information\r\nincluding the contact list, phone call records, SMS, clipboard content, browser bookmarks, and\r\nconversations from multiple instant messaging apps. It also supports call recording, taking\r\nphotos, screenshotting, file operations, and command execution.\r\nInformation \u003chttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\u003e\r\nLast change to this tool card: 27 December 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool DarkNimbus\r\nChanged Name Country Observed\r\nAPT groups\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=30d34631-0151-4a9c-9aa2-ab3cc5cd4b1e\r\nPage 1 of 2\n\nEarth Minotaur 2019  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=30d34631-0151-4a9c-9aa2-ab3cc5cd4b1e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=30d34631-0151-4a9c-9aa2-ab3cc5cd4b1e\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=30d34631-0151-4a9c-9aa2-ab3cc5cd4b1e" ], "report_names": [ "listgroups.cgi?u=30d34631-0151-4a9c-9aa2-ab3cc5cd4b1e" ], "threat_actors": [ { "id": "dc813ffb-16bd-46f7-9d8f-8e93089f00c1", "created_at": "2024-12-28T02:01:54.748213Z", "updated_at": "2026-04-10T02:00:04.669444Z", "deleted_at": null, "main_name": "Earth Minotaur", "aliases": [], "source_name": "ETDA:Earth Minotaur", "tools": [ "DarkNimbus", "MOONSHINE" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434668, "ts_updated_at": 1775791813, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/66ad6d55d560c65cd641f318a15627570daec3cb.pdf", "text": "https://archive.orkl.eu/66ad6d55d560c65cd641f318a15627570daec3cb.txt", "img": "https://archive.orkl.eu/66ad6d55d560c65cd641f318a15627570daec3cb.jpg" } }