{ "id": "fc25e658-cfb0-4eec-b07c-c4a9e93543df", "created_at": "2026-04-06T15:53:11.718338Z", "updated_at": "2026-04-10T03:38:03.433034Z", "deleted_at": null, "sha1_hash": "a029caa2605dbb43664d702b0d7716d2fa685b63", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48911, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 15:37:51 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Spark\n Tool: Spark\nNames Spark\nCategory Malware\nType Reconnaissance, Backdoor, Keylogger, Info stealer, Downloader\nDescription\n(Cybereason) The Spark backdoor allows the attackers to:\n• Collect information about the infected machine.\n• Encrypt the collected data and send it to the attackers over the HTTP protocol.\n• Download additional payloads.\n• Log keystrokes.\n• Record audio using the computer’s microphone.\n• Execute commands on the infected machine.\nThe creators of the Spark backdoor use a few techniques that are intended to keep the\nbackdoor under-the-radar, including:\n• Packing the payloads with the Enigma packer.\n• Checking for antivirus and other security products using WMI.\n• Validating Arabic keyboard and language settings on the infected machine.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Spark\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=934e2c2c-e02e-4deb-afa4-064a1b10c29b\nPage 1 of 2\n\nAPT groups\r\n  Molerats, Extreme Jackal, Gaza Cybergang [Gaza] 2012-Jul 2023  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=934e2c2c-e02e-4deb-afa4-064a1b10c29b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=934e2c2c-e02e-4deb-afa4-064a1b10c29b\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=934e2c2c-e02e-4deb-afa4-064a1b10c29b" ], "report_names": [ "listgroups.cgi?u=934e2c2c-e02e-4deb-afa4-064a1b10c29b" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775490791, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a029caa2605dbb43664d702b0d7716d2fa685b63.pdf", "text": "https://archive.orkl.eu/a029caa2605dbb43664d702b0d7716d2fa685b63.txt", "img": "https://archive.orkl.eu/a029caa2605dbb43664d702b0d7716d2fa685b63.jpg" } }