{ "id": "89dbac3b-3b67-44e8-aee9-f49697719739", "created_at": "2026-04-06T00:09:17.947567Z", "updated_at": "2026-04-10T03:37:04.144088Z", "deleted_at": null, "sha1_hash": "8888d2dd820cb247475c88a19e279d85b3fa0fb4", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46301, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:52:29 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PlainGnome\r\n Tool: PlainGnome\r\nNames PlainGnome\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer\r\nDescription\r\n(Lookout) PlainGnome consists of a two-stage deployment in which a very minimal first stage\r\ndrops a malicious APK once it’s installed. While the first and second stages use some variation\r\non the Telegram package name, the actual functionality presented to the user is essentially the\r\nsame as that observed in previous BoneSpy samples using the “image gallery” theme. This\r\nlure theme continued through most of PlainGnome’s deployment throughout 2024.\r\nInformation\r\n\u003chttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\u003e\r\nLast change to this tool card: 27 December 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool PlainGnome\r\nChanged Name Country Observed\r\nAPT groups\r\n  Gamaredon Group 2013-Feb 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2f6eb326-1cd4-4e06-9521-b49bd22fe1ec\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2f6eb326-1cd4-4e06-9521-b49bd22fe1ec\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2f6eb326-1cd4-4e06-9521-b49bd22fe1ec" ], "report_names": [ "listgroups.cgi?u=2f6eb326-1cd4-4e06-9521-b49bd22fe1ec" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434157, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8888d2dd820cb247475c88a19e279d85b3fa0fb4.pdf", "text": "https://archive.orkl.eu/8888d2dd820cb247475c88a19e279d85b3fa0fb4.txt", "img": "https://archive.orkl.eu/8888d2dd820cb247475c88a19e279d85b3fa0fb4.jpg" } }