{
	"id": "ce889b01-9c1d-41e0-878f-d0937261257d",
	"created_at": "2026-04-06T01:32:30.417529Z",
	"updated_at": "2026-04-10T13:13:01.413256Z",
	"deleted_at": null,
	"sha1_hash": "a312fb15dc6a10498187e772862860b16dc34e96",
	"title": "Snowglobe, Animal Farm - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59315,
	"plain_text": "Snowglobe, Animal Farm - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-06 00:21:36 UTC\r\nHome \u003e List all groups \u003e Snowglobe, Animal Farm\r\n APT group: Snowglobe, Animal Farm\r\nNames\r\nSnowglobe (CSEC)\r\nAnimal Farm (Kaspersky)\r\nSIG20 (NSA)\r\nATK 8 (Thales)\r\nCountry France\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2011\r\nDescription\r\n(GData) The revelation about the existence of yet another potentially nation-state driven\r\nspyware occurred in March 2014 when Le Monde first published information about top secret\r\nslides originating from 2011 and part of their content. But the slides Le Monde published\r\nrevealed only a small part of the picture – several slides were cut out, some information was\r\nredacted. Germany’s Der Spiegel re-published the slide set with far less deletions recently, in\r\nJanuary 2015, and therefore gave a deeper insight about what CSEC actually says they have\r\ntracked down.\r\nThe newly published documents reveal: the so called operation SNOWGLOBE, was\r\ndiscovered in 2009 (slide 9) and consists of three different “implants”, two were dubbed\r\nsnowballs and one “more sophisticated implant, discovered in mid-2010” is tagged as\r\nsnowman (slide 7). According to slide 22, “CSEC assesses, with moderate certainty,\r\nSNOWGLOBE to be a state-sponsored CNO [Cyber Network Operation] effort, put forth by a\r\nFrench intelligence agency.” The information given dates back to 2011 and nothing else has\r\nbeen published since. Now that specific Babar samples have been identified and analyzed,\r\nthere might be new information, also with regards to similarities or differences between the\r\ntwo Remote Administration Tools (RATs) EvilBunny and Babar.\r\nObserved Sectors: Defense, Government, Media and private sectors.\r\nCountries: Algeria, Austria, China, Congo, Cote d'Ivoire, Germany, Greece, Iran, Iraq, Israel,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1321cfb0-511e-41a0-86a5-e7f1582911af\r\nPage 1 of 2\n\nMalaysia, Morocco, Netherlands, New Zealand, Norway, Russia, Spain, Syria, Turkey, UK,\nUkraine, USA.\nTools used Babar, Casper, Dino, EvilBunny, Tafacalou, Nbot, Chocopop.\nInformation\nLast change to this card: 24 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1321cfb0-511e-41a0-86a5-e7f1582911af\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1321cfb0-511e-41a0-86a5-e7f1582911af\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1321cfb0-511e-41a0-86a5-e7f1582911af"
	],
	"report_names": [
		"showcard.cgi?u=1321cfb0-511e-41a0-86a5-e7f1582911af"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e09a7338-fb16-4e39-b579-c3bfc3140c47",
			"created_at": "2022-10-25T16:07:24.207294Z",
			"updated_at": "2026-04-10T02:00:04.899166Z",
			"deleted_at": null,
			"main_name": "Snowglobe",
			"aliases": [
				"ATK 8",
				"Animal Farm",
				"SIG20",
				"Snowglobe"
			],
			"source_name": "ETDA:Snowglobe",
			"tools": [
				"Babar",
				"Casper",
				"Chocopop",
				"Dino",
				"EvilBunny",
				"Nbot",
				"TFC",
				"Tafacalou"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "548a4081-aa8f-4e2a-bcb3-0c9dfa61944f",
			"created_at": "2023-01-06T13:46:38.443779Z",
			"updated_at": "2026-04-10T02:00:02.977564Z",
			"deleted_at": null,
			"main_name": "SNOWGLOBE",
			"aliases": [
				"Animal Farm",
				"Snowglobe",
				"ATK8"
			],
			"source_name": "MISPGALAXY:SNOWGLOBE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439150,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a312fb15dc6a10498187e772862860b16dc34e96.pdf",
		"text": "https://archive.orkl.eu/a312fb15dc6a10498187e772862860b16dc34e96.txt",
		"img": "https://archive.orkl.eu/a312fb15dc6a10498187e772862860b16dc34e96.jpg"
	}
}