{
	"id": "55a68646-dd93-432b-814c-8060b4c44232",
	"created_at": "2026-04-06T00:13:41.172798Z",
	"updated_at": "2026-04-10T13:12:53.743868Z",
	"deleted_at": null,
	"sha1_hash": "8e157ecfa515eb898c7736e6e3cf0662e26a922d",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55102,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:42:32 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Cerberus\n Tool: Cerberus\nNames Cerberus\nCategory Malware\nType Banking trojan, Backdoor, Info stealer, Credential stealer, Botnet\nDescription\n(ThreatFabric) After the user grants the requested privilege, Cerberus starts to abuse it\nby granting itself additional permissions, such as permissions needed to send messages\nand make calls, without requiring any user interaction. It also disables Play Protect\n(Google's preinstalled antivirus solution) to prevent its discovery and deletion in the\nfuture. After conveniently granting itself additional privileges and securing its\npersistence on the device, Cerberus registers the infected device in the botnet and waits\nfor commands from the C2 server while also being ready to perform overlay attacks.\nInformation\nMITRE ATT\u0026CK Malpedia https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eafc48e5-6613-4d2d-aa69-0596a6d1f4d8\nPage 1 of 2\n\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:cerberus\u003e\r\nLast change to this tool card: 30 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool Cerberus\r\nChanged Name Country Observed\r\nUnknown groups\r\n  _[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eafc48e5-6613-4d2d-aa69-0596a6d1f4d8\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eafc48e5-6613-4d2d-aa69-0596a6d1f4d8\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eafc48e5-6613-4d2d-aa69-0596a6d1f4d8"
	],
	"report_names": [
		"listgroups.cgi?u=eafc48e5-6613-4d2d-aa69-0596a6d1f4d8"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434421,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e157ecfa515eb898c7736e6e3cf0662e26a922d.pdf",
		"text": "https://archive.orkl.eu/8e157ecfa515eb898c7736e6e3cf0662e26a922d.txt",
		"img": "https://archive.orkl.eu/8e157ecfa515eb898c7736e6e3cf0662e26a922d.jpg"
	}
}