{
	"id": "04f94c06-60f6-4865-8446-c3cec21221f2",
	"created_at": "2026-04-06T00:16:35.497139Z",
	"updated_at": "2026-04-10T03:34:41.43973Z",
	"deleted_at": null,
	"sha1_hash": "945b72c219e2cfbfd403ca91f5887a387cbe180a",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58324,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:02:59 UTC\r\n APT group: OPERA1ER\r\nNames\r\nOPERA1ER (Group-IB)\r\nDESKTOP-GROUP (c-APT-ure)\r\nCommon Raven (SWIFT)\r\nNXSMS (Orange-CERT-CC)\r\nBluebottle (Symantec)\r\nCountry [Unknown]\r\nMotivation Financial crime\r\nFirst seen 2016\r\nDescription\r\n(Group-IB) Digital forensics artifacts analyzed by Group-IB and Orange following\r\nmore than 30 successful intrusions of OPERA1ER between 2018 and 2022 helped to\r\ntrace down affected organizations in Ivory Coast, Mali, Burkina Faso, Benin,\r\nCameroon, Bangladesh, Gabon, Niger, Nigeria, Paraguay, Senegal, Sierra Leone,\r\nUganda, Togo, Argentina. Many of the victims identified were successfully attacked\r\ntwice, and their infrastructure was then used to attack other organizations. According\r\nto Group-IB’s evaluation, between 2018 and 2022, OPERA1ER managed to steal at\r\nleast $11 million, and the actual amount of damage could be as high as $30 million.\r\nObserved\r\nSectors: Financial, Telecommunications.\r\nCountries: Argentina, Bangladesh, Benin, Burkina Faso, Cameroon, Cote d'Ivoire,\r\nGabon, Mali, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Togo, Uganda.\r\nTools used\r\nAgent Tesla, BitRAT, BlackNET RAT, Cobalt Strike, Metasploit, NetWire RC,\r\nNeutrino, Ngrok, PsExec, RDPWrap, RemcosRAT, Revealer Keylogger,\r\nVenomRAT, Living off the Land.\r\nOperations performed May 2022\r\nBluebottle: Campaign Hits Banks in French-speaking Countries in\r\nAfrica\r\n\u003chttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa\u003e\r\nCounter operations Jul 2023 Operation “Nervone”\r\nSuspected key figure of notorious cybercrime group arrested in\r\njoint operation\r\n\u003chttps://www.interpol.int/News-and-Events/News/2023/Suspected-https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a3c4d317-7ad1-4353-9102-ff64b20996d5\r\nPage 1 of 2\n\nkey-figure-of-notorious-cybercrime-group-arrested-in-joint-operation\u003e\nInformation Last change to this card: 05 September 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a3c4d317-7ad1-4353-9102-ff64b20996d5\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a3c4d317-7ad1-4353-9102-ff64b20996d5\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a3c4d317-7ad1-4353-9102-ff64b20996d5"
	],
	"report_names": [
		"showcard.cgi?u=a3c4d317-7ad1-4353-9102-ff64b20996d5"
	],
	"threat_actors": [
		{
			"id": "11c69e3d-a740-4a70-abd3-158ac0375452",
			"created_at": "2023-01-06T13:46:39.29608Z",
			"updated_at": "2026-04-10T02:00:03.27813Z",
			"deleted_at": null,
			"main_name": "Common Raven",
			"aliases": [
				"NXSMS",
				"DESKTOP-GROUP",
				"OPERA1ER"
			],
			"source_name": "MISPGALAXY:Common Raven",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "59a48c28-d918-419f-b8b8-44be0c9741c8",
			"created_at": "2023-11-08T02:00:07.172993Z",
			"updated_at": "2026-04-10T02:00:03.434175Z",
			"deleted_at": null,
			"main_name": "BlueBottle",
			"aliases": [],
			"source_name": "MISPGALAXY:BlueBottle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a1071a25-d7c1-41be-a97f-2ec1b167ceb0",
			"created_at": "2023-02-18T02:04:24.365926Z",
			"updated_at": "2026-04-10T02:00:04.792271Z",
			"deleted_at": null,
			"main_name": "OPERA1ER",
			"aliases": [
				"Common Raven",
				"DESKTOP-GROUP",
				"NXSMS",
				"Operation Nervone"
			],
			"source_name": "ETDA:OPERA1ER",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Agentemis",
				"BitRAT",
				"BlackNET RAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Kasidet",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Metasploit",
				"Negasteal",
				"NetWeird",
				"NetWire",
				"NetWire RAT",
				"NetWire RC",
				"NetWired RC",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"Ngrok",
				"Origin Logger",
				"PsExec",
				"RDPWrap",
				"Recam",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Revealer Keylogger",
				"Socmer",
				"VenomRAT",
				"ZPAQ",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434595,
	"ts_updated_at": 1775792081,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/945b72c219e2cfbfd403ca91f5887a387cbe180a.pdf",
		"text": "https://archive.orkl.eu/945b72c219e2cfbfd403ca91f5887a387cbe180a.txt",
		"img": "https://archive.orkl.eu/945b72c219e2cfbfd403ca91f5887a387cbe180a.jpg"
	}
}