{ "id": "92c2bd71-d1b9-4e27-a4cd-11c833ade3f7", "created_at": "2026-04-06T00:14:50.544061Z", "updated_at": "2026-04-10T03:36:22.018473Z", "deleted_at": null, "sha1_hash": "92c59ee7207b30bd8564dfcb57798f385e9e1ec7", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52544, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:14:56 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PhantomLance\n Tool: PhantomLance\nNames\nPhantomLance\nPWNDROID1\nAndroid.Backdoor.736.origin\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Downloader, Exfiltration\nDescription\n(Dr.Web) The backdoor communicates with several command and control servers to receive\ncommands from the attackers and send the collected data. The cybercriminals can also control\nthe trojan via the Firebase Cloud Messaging service. Android.Backdoor.736.origin is capable\nof:\n• sending information on contacts from the contact list to the server;\n• sending information on text messages to the server (the investigated version of the trojan did\nnot have the permissions for this);\n• sending the phone call history to the server;\n• sending the device location to the server;\n• downloading and launching an APK or a DEX file using the DexClassLoader class;\n• sending the information on the installed software to the server;\n• downloading and launching a specified executable file;\n• downloading a file from the server;\n• uploading a specified file to the server;\n• transmitting information on files in the specified directory or a memory card to the server;\n• executing a shell command;\n• launching the activity specified in a command;\n• downloading and installing an Android application;\n• displaying a notification specified in a command;\n• requesting permission specified in a command;\n• sending the list of permissions granted to the trojan to the server;\n• not letting the device go into sleep mode for a specified time period.\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d6d0a523-fa63-4a7a-a20a-df07a5cb7087\nPage 1 of 2\n\n\u003chttps://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/apk.phantomlance\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool PhantomLance\r\nChanged Name Country Observed\r\nAPT groups\r\n  APT 32, OceanLotus, SeaLotus 2013-Aug 2024\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d6d0a523-fa63-4a7a-a20a-df07a5cb7087\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d6d0a523-fa63-4a7a-a20a-df07a5cb7087\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d6d0a523-fa63-4a7a-a20a-df07a5cb7087" ], "report_names": [ "listgroups.cgi?u=d6d0a523-fa63-4a7a-a20a-df07a5cb7087" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434490, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/92c59ee7207b30bd8564dfcb57798f385e9e1ec7.pdf", "text": "https://archive.orkl.eu/92c59ee7207b30bd8564dfcb57798f385e9e1ec7.txt", "img": "https://archive.orkl.eu/92c59ee7207b30bd8564dfcb57798f385e9e1ec7.jpg" } }