{
	"id": "3bab8003-3adf-420f-a9cf-1ba80909f47b",
	"created_at": "2026-04-06T01:31:13.019604Z",
	"updated_at": "2026-04-10T13:11:55.451012Z",
	"deleted_at": null,
	"sha1_hash": "6f476078c89c8324ad50a32fe51788208ab281fe",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48187,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 01:02:38 UTC\r\n APT group: ZooPark\r\nNames\r\nZooPark (Kaspersky)\r\nTG-2884 (SecureWorks)\r\nCobalt Juno (SecureWorks)\r\nAPT-C-38 (Qihoo 360)\r\nSaber Lion (?)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2015\r\nDescription\r\n(Kaspersky) ZooPark is a cyberespionage operation that has been focusing on Middle Eastern\r\ntargets since at least June 2015. The threat actors behind ZooPark infect Android devices using\r\nseveral generations of malware we label from v1-v4, with v4 being the most recent version\r\ndeployed in 2017.\r\nThe preferred infection vector for ZooPark is waterhole attacks. We found several news\r\nwebsites that have been hacked by the attackers to redirect visitors to a downloading site that\r\nserves malicious APKs. Some of the themes observed in campaign include “Kurdistan\r\nreferendum”, “TelegramGroups” and “Alnaharegypt news”, among others.\r\nTarget profile has evolved during the last years of campaign, focusing on victims in Egypt,\r\nJordan, Morocco, Lebanon and Iran.\r\nObserved\r\nSectors: Media and United Nations Relief and Works Agency for Palestine Refugees in the\r\nNear East (UNRWA) in Amman, Jordan.\r\nCountries: Egypt, Iraq, Iran, Jordan, Kuwait, Lebanon, Morocco and Kurdistan.\r\nTools used ZooPark.\r\nInformation\r\n\u003chttps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf\u003e\r\nLast change to this card: 10 August 2021\r\nDownload this actor card in PDF or JSON format\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7d58d4fb-0ed4-4384-a16b-ea023145ddb9\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7d58d4fb-0ed4-4384-a16b-ea023145ddb9\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7d58d4fb-0ed4-4384-a16b-ea023145ddb9\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7d58d4fb-0ed4-4384-a16b-ea023145ddb9"
	],
	"report_names": [
		"showcard.cgi?u=7d58d4fb-0ed4-4384-a16b-ea023145ddb9"
	],
	"threat_actors": [
		{
			"id": "4a596945-b1a2-4a3d-82db-f47d69dfeffe",
			"created_at": "2025-08-07T02:03:24.751785Z",
			"updated_at": "2026-04-10T02:00:03.716433Z",
			"deleted_at": null,
			"main_name": "COBALT JUNO",
			"aliases": [
				"APT-C-38 ",
				"SABER LION",
				"TG-2884 "
			],
			"source_name": "Secureworks:COBALT JUNO",
			"tools": [
				"HARDCANDY",
				"SABER1",
				"SABER2",
				"ZooPark"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c97cf0c1-7f0d-4e35-9bb9-bceaad178c3d",
			"created_at": "2023-01-06T13:46:38.760807Z",
			"updated_at": "2026-04-10T02:00:03.091254Z",
			"deleted_at": null,
			"main_name": "ZooPark",
			"aliases": [],
			"source_name": "MISPGALAXY:ZooPark",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "82fcec26-af6c-4e56-8c1f-5b97fc80af70",
			"created_at": "2023-01-06T13:46:39.141432Z",
			"updated_at": "2026-04-10T02:00:03.228154Z",
			"deleted_at": null,
			"main_name": "COBALT JUNO",
			"aliases": [
				"APT-C-38 (QiAnXin)",
				"SABER LION",
				"TG-2884 (SCWX CTU)"
			],
			"source_name": "MISPGALAXY:COBALT JUNO",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "93edf98a-03c1-48b3-a94c-e1bddc24f0e6",
			"created_at": "2022-10-25T16:07:24.435275Z",
			"updated_at": "2026-04-10T02:00:04.988022Z",
			"deleted_at": null,
			"main_name": "ZooPark",
			"aliases": [
				"APT-C-38",
				"Cobalt Juno",
				"Saber Lion",
				"TG-2884"
			],
			"source_name": "ETDA:ZooPark",
			"tools": [
				"ZooPark"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439073,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f476078c89c8324ad50a32fe51788208ab281fe.pdf",
		"text": "https://archive.orkl.eu/6f476078c89c8324ad50a32fe51788208ab281fe.txt",
		"img": "https://archive.orkl.eu/6f476078c89c8324ad50a32fe51788208ab281fe.jpg"
	}
}