{
	"id": "00bb9566-76a9-4ae2-8134-0cd75c7c62ed",
	"created_at": "2026-04-06T00:15:44.869359Z",
	"updated_at": "2026-04-10T03:20:28.374828Z",
	"deleted_at": null,
	"sha1_hash": "859b77ade13b6de9dd0a2d557e7e2bacdf495258",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47975,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:27:31 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MMRat\r\n Tool: MMRat\r\nNames MMRat\r\nCategory Malware\r\nType Banking trojan, Backdoor, Info stealer, Credential stealer\r\nDescription\r\n(Trend Micro) The Trend Micro Mobile Application Reputation Service (MARS) team\r\ndiscovered a new, fully undetected Android banking trojan, dubbed MMRat (detected by\r\nTrendMicro as AndroidOS_MMRat.HRX), that has been targeting mobile users in Southeast\r\nAsia since late June 2023. The malware, named after its distinctive package name\r\ncom.mm.user, can capture user input and screen content, and can also remotely control victim\r\ndevices through various techniques, enabling its operators to carry out bank fraud on the\r\nvictim’s device.\r\nFurthermore, MMRat uses a special customized command-and-control (C\u0026C) protocol based\r\non protocol buffers (aka Protobuf), an open-source data format used for serializing structured\r\ndata. This feature, which is rarely seen in Android banking trojans, enhances its performance\r\nduring the transfer of large volumes of data.\r\nInformation\r\n\u003chttps://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html\u003e\r\n\u003chttps://cybersecurity.att.com/blogs/security-essentials/mmrat-a-new-banking-trojan\u003e\r\nLast change to this tool card: 13 October 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool MMRat\r\nChanged Name Country Observed\r\nUnknown groups\r\n  _[ Interesting malware not linked to an actor yet ]_  \r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cddf5428-abee-4308-8ab6-ac5bb744e312\r\nPage 1 of 2\n\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cddf5428-abee-4308-8ab6-ac5bb744e312\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cddf5428-abee-4308-8ab6-ac5bb744e312\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cddf5428-abee-4308-8ab6-ac5bb744e312"
	],
	"report_names": [
		"listgroups.cgi?u=cddf5428-abee-4308-8ab6-ac5bb744e312"
	],
	"threat_actors": [],
	"ts_created_at": 1775434544,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/859b77ade13b6de9dd0a2d557e7e2bacdf495258.pdf",
		"text": "https://archive.orkl.eu/859b77ade13b6de9dd0a2d557e7e2bacdf495258.txt",
		"img": "https://archive.orkl.eu/859b77ade13b6de9dd0a2d557e7e2bacdf495258.jpg"
	}
}