{ "id": "39034817-39c3-428c-a6aa-5ae7da83482a", "created_at": "2026-04-06T00:06:19.504078Z", "updated_at": "2026-04-10T13:12:13.110608Z", "deleted_at": null, "sha1_hash": "8e3a3dc07adca1748d9fd100cca1c43794d526cf", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53741, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:14:24 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool dmsSpy\n Tool: dmsSpy\nNames dmsSpy\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\nDescription\n(Trend Micro) Another APK link was disguised as a calendar application for checking the\nschedule of upcoming political events in Hong Kong. Though the link was also down, we\nmanaged to find the original file downloaded from it.\nThe calendar application shown above requires manysensitive permissions such as\nREAD_CONTACTS, RECEIVE_SMS, READ_SMS, CALL_PHONE,\nACCESS_LOCATION, and WRITE/READ EXTERNAL_STORAGE. When launched, it first\ncollects device information such as device ID, brand, model, OS version, physicallocation, and\nSDcard file list. It then sends the collected information back to the C\u0026C server.\nIt also steals contact and SMS information stored in the device. Furthermore, it registers a\nreceiver that monitors new incoming SMS messages and syncs messages with the C\u0026C server\nin real-time.\nThe appcan perform an update by querying the C\u0026C server to fetch the URL of the latest APK\nfile, then download and install it.\nInformation\nMalpedia Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool dmsSpy\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=94171b88-29ea-4840-8f84-61096123d0b0\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Operation Poisoned News, TwoSail Junk 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=94171b88-29ea-4840-8f84-61096123d0b0\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=94171b88-29ea-4840-8f84-61096123d0b0\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=94171b88-29ea-4840-8f84-61096123d0b0" ], "report_names": [ "listgroups.cgi?u=94171b88-29ea-4840-8f84-61096123d0b0" ], "threat_actors": [ { "id": "3703894e-cf68-4c1e-a71a-e8fd2ef76747", "created_at": "2023-11-08T02:00:07.166789Z", "updated_at": "2026-04-10T02:00:03.432192Z", "deleted_at": null, "main_name": "TwoSail Junk", "aliases": [ "Operation Poisoned News" ], "source_name": "MISPGALAXY:TwoSail Junk", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "741d58a1-0fc0-41a8-9681-106a06c07e61", "created_at": "2022-10-25T16:07:23.983046Z", "updated_at": "2026-04-10T02:00:04.822372Z", "deleted_at": null, "main_name": "Operation Poisoned News", "aliases": [ "Operation Poisoned News", "TwoSail Junk" ], "source_name": "ETDA:Operation Poisoned News", "tools": [ "dmsSpy", "lightSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433979, "ts_updated_at": 1775826733, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8e3a3dc07adca1748d9fd100cca1c43794d526cf.pdf", "text": "https://archive.orkl.eu/8e3a3dc07adca1748d9fd100cca1c43794d526cf.txt", "img": "https://archive.orkl.eu/8e3a3dc07adca1748d9fd100cca1c43794d526cf.jpg" } }