{ "id": "9ad67132-2c31-43e8-8956-f439269655ee", "created_at": "2026-04-06T00:10:34.910424Z", "updated_at": "2026-04-10T13:11:57.868951Z", "deleted_at": null, "sha1_hash": "7fc38e60995f15420b369aed24a92fea3a73eff8", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49110, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:21:21 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BarbWire\r\n Tool: BarbWire\r\nNames BarbWire\r\nCategory Malware\r\nType\r\nReconnaissance, Backdoor, Info stealer, Credential stealer, Keylogger, Downloader,\r\nExfiltration\r\nDescription\r\n(Cybereason) The backdoor component of APT-C-23’s operation is a very capable piece of\r\nmalware, and it is obvious that a lot of effort was put into hiding its capabilities using a custom\r\nbase64 algorithm. Its main goal is to fully compromise the victim machine, gaining access to\r\ntheir most sensitive data. The backdoor’s main capabilities include:\r\n• Persistence\r\n• OS Reconnaissance\r\n• Data encryption\r\n• Keylogging\r\n• Screen capturing\r\n• Audio recording\r\n• Download additional malware\r\n• Local/external drives and directory enumeration\r\n• Steal specific file types and exfiltrate data\r\nInformation\r\n\u003chttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.barbwire\u003e\r\nLast change to this tool card: 27 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool BarbWire\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=97f960d1-4a27-4432-ad27-a21a572ef9ce\r\nPage 1 of 2\n\nAPT groups\r\n  Desert Falcons [Gaza] 2011-Oct 2023\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=97f960d1-4a27-4432-ad27-a21a572ef9ce\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=97f960d1-4a27-4432-ad27-a21a572ef9ce\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=97f960d1-4a27-4432-ad27-a21a572ef9ce" ], "report_names": [ "listgroups.cgi?u=97f960d1-4a27-4432-ad27-a21a572ef9ce" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434234, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7fc38e60995f15420b369aed24a92fea3a73eff8.pdf", "text": "https://archive.orkl.eu/7fc38e60995f15420b369aed24a92fea3a73eff8.txt", "img": "https://archive.orkl.eu/7fc38e60995f15420b369aed24a92fea3a73eff8.jpg" } }