{ "id": "c40f9737-c4de-45d5-9919-00b882014341", "created_at": "2026-04-06T03:37:07.563745Z", "updated_at": "2026-04-10T03:31:36.779867Z", "deleted_at": null, "sha1_hash": "8453ce44c121460cd74c07e7310de136a0dbe74a", "title": "Tempting Cedar Spyware - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51473, "plain_text": "Tempting Cedar Spyware - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-06 02:58:19 UTC\nHome \u003e List all groups \u003e Tempting Cedar Spyware\n APT group: Tempting Cedar Spyware\nNames Tempting Cedar Spyware (Avast)\nCountry Lebanon\nMotivation Information theft and espionage\nFirst seen 2015\nDescription\n(ZDNet) A hacking campaign used fake Facebook profiles to trick targets into downloading\nmalware capable of stealing vast swathes of information, including messages, photos, audio\nrecordings and even the exact location of victims.\nThe group has been operating since as early as 2015 and is thought to have infected the\nAndroid phones of hundreds selected targets across the Middle East. The the highest\nconcentration of infections is in Israel, but victims have also been seen in the US, China,\nGermany and France.\nUncovered by researchers at Avast, the operation has been dubbed 'Tempting Cedar Spyware'.\nThe name combines the main means of attack - by tricking victims using fake social media\nprofiles purporting to be those of a young woman - with the Cedar tree, which features\nprominently on the flag of Lebanon.\nThe campaign for distributing the malware begins with fake Facebook profiles which are\ndesigned to lure in victims - predominantly men - with 'flirty' conversations.\nObserved Countries: China, France, Germany, Israel, USA.\nTools used Tempting Cedar Spyware.\nInformation\nLast change to this card: 19 April 2020\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=043904a1-321c-421b-86e6-1a8c7b638cbf\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=043904a1-321c-421b-86e6-1a8c7b638cbf\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=043904a1-321c-421b-86e6-1a8c7b638cbf\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=043904a1-321c-421b-86e6-1a8c7b638cbf" ], "report_names": [ "showcard.cgi?u=043904a1-321c-421b-86e6-1a8c7b638cbf" ], "threat_actors": [ { "id": "8aa5e5a6-87dd-4700-b5a2-11e08218132e", "created_at": "2022-10-25T16:07:24.316497Z", "updated_at": "2026-04-10T02:00:04.933194Z", "deleted_at": null, "main_name": "Tempting Cedar Spyware", "aliases": [], "source_name": "ETDA:Tempting Cedar Spyware", "tools": [ "Tempting Cedar Spyware", "TemptingCedar Spyware" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446627, "ts_updated_at": 1775791896, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8453ce44c121460cd74c07e7310de136a0dbe74a.pdf", "text": "https://archive.orkl.eu/8453ce44c121460cd74c07e7310de136a0dbe74a.txt", "img": "https://archive.orkl.eu/8453ce44c121460cd74c07e7310de136a0dbe74a.jpg" } }