{ "id": "60ee011e-62fa-4d96-b6f5-f5742fdd2e06", "created_at": "2026-04-06T00:15:14.212989Z", "updated_at": "2026-04-10T13:11:28.795275Z", "deleted_at": null, "sha1_hash": "96f3a236f66962b71e2195e8536114421a2aefb0", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48348, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:20:02 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool HesperBot\n Tool: HesperBot\nNames HesperBot\nCategory Malware\nType Banking trojan, Info stealer, Keylogger, Tunneling\nDescription\n(ESET) Despite being a “new kid on the block”, it appears that Win32/Spy.Hesperbot is a\nvery potent banking trojan which features common functionalities, such as keystroke\nlogging, creation of screenshots and video capture, and setting up a remote proxy, but also\nincludes some more advanced tricks, such as creating a hidden VNC server on the\ninfected system. And of course the banking trojan feature list wouldn’t be complete\nwithout network traffic interception and HTML injection capabilities.\nWin32/Spy.Hesperbot does all this in quite a sophisticated manner.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool HesperBot\nChanged Name Country Observed\nAPT groups\n Wild Neutron, Butterfly, Sphinx Moth [Unknown] 2013-Feb 2013\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=79900005-923d-4e8b-8713-fd5be877969a\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=79900005-923d-4e8b-8713-fd5be877969a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=79900005-923d-4e8b-8713-fd5be877969a\r\nPage 2 of 2\n\nAPT groups Wild Neutron, Butterfly, Sphinx Moth [Unknown] 2013-Feb 2013\n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=79900005-923d-4e8b-8713-fd5be877969a" ], "report_names": [ "listgroups.cgi?u=79900005-923d-4e8b-8713-fd5be877969a" ], "threat_actors": [ { "id": "92c0dae2-e255-4b90-8d8f-be88e393ab8d", "created_at": "2022-10-25T16:07:24.402328Z", "updated_at": "2026-04-10T02:00:04.97641Z", "deleted_at": null, "main_name": "Wild Neutron", "aliases": [ "Butterfly", "Morpho", "Sphinx Moth", "The Postal Group", "Wild Neutron" ], "source_name": "ETDA:Wild Neutron", "tools": [ "HesperBot", "Jiripbot", "JripBot" ], "source_id": "ETDA", "reports": null }, { "id": "e90ec9cb-9959-455d-b558-4bafef64d645", "created_at": "2022-10-25T16:07:24.222081Z", "updated_at": "2026-04-10T02:00:04.903184Z", "deleted_at": null, "main_name": "Sphinx", "aliases": [ "APT-C-15" ], "source_name": "ETDA:Sphinx", "tools": [ "AnubisSpy", "Backdoor.Oldrea", "Bladabindi", "Fertger", "Havex", "Havex RAT", "Jorik", "Oldrea", "PEACEPIPE", "njRAT", "yellowalbatross" ], "source_id": "ETDA", "reports": null }, { "id": "a653b7ac-97b5-465b-98cd-8713223b06a7", "created_at": "2023-01-06T13:46:38.592385Z", "updated_at": "2026-04-10T02:00:03.032867Z", "deleted_at": null, "main_name": "WildNeutron", "aliases": [ "Morpho", "Sphinx Moth" ], "source_name": "MISPGALAXY:WildNeutron", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434514, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/96f3a236f66962b71e2195e8536114421a2aefb0.pdf", "text": "https://archive.orkl.eu/96f3a236f66962b71e2195e8536114421a2aefb0.txt", "img": "https://archive.orkl.eu/96f3a236f66962b71e2195e8536114421a2aefb0.jpg" } }