{ "id": "c2717c51-b584-4f06-bbe5-2bfacf8d2d48", "created_at": "2026-04-06T01:29:18.745466Z", "updated_at": "2026-04-10T03:30:56.218063Z", "deleted_at": null, "sha1_hash": "9fa56868a24354429d969d2ac3eb8edc137116df", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49022, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 00:33:03 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ZooPark\n Tool: ZooPark\nNames ZooPark\nCategory Malware\nType Backdoor, Info stealer, Credential stealer, Exfiltration\nDescription\n(Kaspersky) Kaspersky Lab has been following this malware since 2015, and it has learned a\nplethora of new tricks since then. The current, fourth version of this Trojan can steal almost\nany information from your smartphone, from contacts to call logs and info you enter by\nkeyboard. Here is the list of data that ZooPark can collect and send to its owners:\n• Contacts\n• User account information\n• Call history\n• Call audio recordings\n• Text messages\n• Bookmarks and browser history\n• Browser search history\n• Device location\n• Device information\n• Information on installed apps\n• Any files from the memory card\n• Documents stored on the device\n• Information entered using the on-screen keyboard\n• Clipboard information\n• App-stored data (for example, data from messaging apps such as Telegram, WhatsApp, and\nimo, or the Chrome browser)\nIn addition, ZooPark can take screenshots and photos, and record videos on command. For\nexample, it can take a picture of the phone’s owner from the front camera and send it to its\ncommand center.\nInformation\n\ncontent/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf\u003e\r\n\u003chttps://securelist.com/whos-who-in-the-zoo/85394\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark\u003e\r\nLast change to this tool card: 13 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool ZooPark\r\nChanged Name Country Observed\r\nAPT groups\r\n  ZooPark [Unknown] 2015  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3b0980f-fc9b-4d05-b6a2-44a1540c5295\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3b0980f-fc9b-4d05-b6a2-44a1540c5295\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3b0980f-fc9b-4d05-b6a2-44a1540c5295" ], "report_names": [ "listgroups.cgi?u=c3b0980f-fc9b-4d05-b6a2-44a1540c5295" ], "threat_actors": [ { "id": "c97cf0c1-7f0d-4e35-9bb9-bceaad178c3d", "created_at": "2023-01-06T13:46:38.760807Z", "updated_at": "2026-04-10T02:00:03.091254Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [], "source_name": "MISPGALAXY:ZooPark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93edf98a-03c1-48b3-a94c-e1bddc24f0e6", "created_at": "2022-10-25T16:07:24.435275Z", "updated_at": "2026-04-10T02:00:04.988022Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [ "APT-C-38", "Cobalt Juno", "Saber Lion", "TG-2884" ], "source_name": "ETDA:ZooPark", "tools": [ "ZooPark" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438958, "ts_updated_at": 1775791856, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9fa56868a24354429d969d2ac3eb8edc137116df.pdf", "text": "https://archive.orkl.eu/9fa56868a24354429d969d2ac3eb8edc137116df.txt", "img": "https://archive.orkl.eu/9fa56868a24354429d969d2ac3eb8edc137116df.jpg" } }