{ "id": "788c57c6-0966-4bea-a770-d1ac44bc3b1d", "created_at": "2026-04-06T00:19:12.78483Z", "updated_at": "2026-04-10T13:13:05.163098Z", "deleted_at": null, "sha1_hash": "a788528e9d47faa7a6eda59248c9ef47999a6437", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54623, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:11:07 UTC\n Other threat group: Yingmob\nNames Yingmob (real name)\nCountry China\nMotivation Financial gain\nFirst seen 2016\nDescription\n(Check Point) Check Point Mobile Threat Prevention has detected a new, unknown\nmobile malware that targeted two customer Android devices belonging to employees\nat a large financial services institution. Mobile Threat Prevention identified the\nthreat automatically by detecting exploitation attempts while examining the malware\nin the MTP emulators.\nThe infection was remediated after the system notified the devices owners and the\nsystem administrators. The infection vector was a drive-by download attack, and the\nCheck Points Threat-Cloud indicates some adult content sites served the malicious\npayload.\nCalled HummingBad, this malware establishes a persistent rootkit with the objective\nto generate fraudulent ad revenue for its perpetrator, similar to the Brain Test app\ndiscovered by Check Point earlier this year. In addition, HummingBad installs\nfraudulent apps to increase the revenue stream for the fraudster.\nObserved\nCountries: Algeria, Bangladesh, Brazil, China, Colombia, Egypt, India, Indonesia,\nMalaysia, Mexico, Nepal, Pakistan, Philippines, Romania, Russia, Thailand, Turkey,\nUkraine, USA, Vietnam and others.\nTools used DroidPlugin, Eomobi, HummingBad, HummingWhale, Yispecter.\nOperations performed Jan 2017\nA Whale of a Tale: HummingBad Returns\nInformation\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e97f9ec0-b69d-408b-aa78-049e67d50c93\nPage 1 of 2\n\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e97f9ec0-b69d-408b-aa78-049e67d50c93\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e97f9ec0-b69d-408b-aa78-049e67d50c93\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e97f9ec0-b69d-408b-aa78-049e67d50c93" ], "report_names": [ "showcard.cgi?u=e97f9ec0-b69d-408b-aa78-049e67d50c93" ], "threat_actors": [ { "id": "0afff988-cf8a-443b-9e2e-8686e511d0ed", "created_at": "2023-01-06T13:46:38.45683Z", "updated_at": "2026-04-10T02:00:02.982791Z", "deleted_at": null, "main_name": "HummingBad", "aliases": [], "source_name": "MISPGALAXY:HummingBad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "45577352-1038-44a4-b111-44764d26a4b0", "created_at": "2022-10-25T16:07:24.591806Z", "updated_at": "2026-04-10T02:00:05.046659Z", "deleted_at": null, "main_name": "Yingmob", "aliases": [], "source_name": "ETDA:Yingmob", "tools": [ "DroidPlugin", "Eomobi", "HummingBad", "HummingWhale", "Yispecter", "ZxxZ" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434752, "ts_updated_at": 1775826785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a788528e9d47faa7a6eda59248c9ef47999a6437.pdf", "text": "https://archive.orkl.eu/a788528e9d47faa7a6eda59248c9ef47999a6437.txt", "img": "https://archive.orkl.eu/a788528e9d47faa7a6eda59248c9ef47999a6437.jpg" } }