{ "id": "c19b1ba5-0867-4943-9917-3b9bbb94fb1f", "created_at": "2026-04-06T00:12:05.575717Z", "updated_at": "2026-04-10T03:28:40.032174Z", "deleted_at": null, "sha1_hash": "7a8a7103db93696853dd1f80eb32cc07a1ce582a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48181, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:00:16 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ROCK\r\n Tool: ROCK\r\nNames\r\nROCK\r\nyellowalbatross\r\nCategory Malware\r\nType Backdoor, Info stealer, Credential stealer\r\nDescription\r\n(Qihoo 360) ROCK Trojan plays a main role in the Sphinx attacks. This malware family was\r\ndeveloped by the attackers themselves or was customer-made by a third party group.\r\nThe malware impersonated Word documents, images or installation programs in the attempt to\r\ndisguise itself as PDF files, pictures or Flash installers to induce the users to click.\r\nThe main purpose is to steal sensitive information from the victims, such as system\r\ninformation, account \u0026 password and search history saved in the browser. It also monitors\r\nvictims through Skype chatting history, cameras, microphones and keyboard \u0026 mouse logging.\r\nThe information collected will then be encrypted and passed back to specific C2 servers.\r\nInformation\r\n\u003chttps://docplayer.net/83717233-Sphinx-apt-c-15-targeted-cyber-attack-in-the-middle-east-table-of-contents.html\u003e\r\n\u003chttps://github.com/securitykitten/malware_references/blob/master/rmshixdAPT-C-15-\r\n20160630.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.rock\u003e\r\nLast change to this tool card: 21 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool ROCK\r\nChanged Name Country Observed\r\nAPT groups\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e87646c0-03af-4547-9f37-6bf9a2e99cde\r\nPage 1 of 2\n\nSphinx [Unknown] 2014  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e87646c0-03af-4547-9f37-6bf9a2e99cde\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e87646c0-03af-4547-9f37-6bf9a2e99cde\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e87646c0-03af-4547-9f37-6bf9a2e99cde" ], "report_names": [ "listgroups.cgi?u=e87646c0-03af-4547-9f37-6bf9a2e99cde" ], "threat_actors": [ { "id": "e90ec9cb-9959-455d-b558-4bafef64d645", "created_at": "2022-10-25T16:07:24.222081Z", "updated_at": "2026-04-10T02:00:04.903184Z", "deleted_at": null, "main_name": "Sphinx", "aliases": [ "APT-C-15" ], "source_name": "ETDA:Sphinx", "tools": [ "AnubisSpy", "Backdoor.Oldrea", "Bladabindi", "Fertger", "Havex", "Havex RAT", "Jorik", "Oldrea", "PEACEPIPE", "njRAT", "yellowalbatross" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434325, "ts_updated_at": 1775791720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a8a7103db93696853dd1f80eb32cc07a1ce582a.pdf", "text": "https://archive.orkl.eu/7a8a7103db93696853dd1f80eb32cc07a1ce582a.txt", "img": "https://archive.orkl.eu/7a8a7103db93696853dd1f80eb32cc07a1ce582a.jpg" } }