{ "id": "af9886b2-f6c1-4224-ab89-080a538195b7", "created_at": "2026-04-06T03:37:42.462383Z", "updated_at": "2026-04-10T03:34:59.364558Z", "deleted_at": null, "sha1_hash": "aabec17aaa648116bbc96b26abb5260541df74f1", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56086, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 03:13:50 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Roaming Mantis\n Tool: Roaming Mantis\nNames\nRoaming Mantis\nMoqHao\nXLoader\nWroba\nCategory Malware\nType Banking trojan, Info stealer, Miner\nDescription\n(Kaspersky) The Roaming Mantis mobile banking trojan is roaming further afield than it\never has before. Recent analysis shows that the malware has rapidly evolved just in the\npast month. It’s now targeting Europe and the Middle East in addition to Asian\ncountries. According to researchers, it’s following the cyber-zeitgeist by expanding its\ncapabilities to include cryptomining (and iOS phishing).\nRoaming Mantis is a mostly-mobile malware which this year has been spreading via\nDNS hijacking. Potential victims are typically redirected to a malicious webpage that\ndistributes a trojanized application that pretends to be either Facebook or Chrome. Once\ninstalled manually by users, a trojan banker will execute.\nInformation\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aa243282-d977-4d61-81a2-b81c17ac47f3\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia\nAlienVault OTX Last change to this tool card: 06 March 2024\nDownload this tool card in JSON format\nAll groups using tool Roaming Mantis\nChanged Name Country Observed\nOther groups\n Roaming Mantis [Unknown] 2017-Jul 2022\n1 group listed (0 APT, 1 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aa243282-d977-4d61-81a2-b81c17ac47f3\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aa243282-d977-4d61-81a2-b81c17ac47f3\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aa243282-d977-4d61-81a2-b81c17ac47f3" ], "report_names": [ "listgroups.cgi?u=aa243282-d977-4d61-81a2-b81c17ac47f3" ], "threat_actors": [ { "id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a", "created_at": "2023-01-06T13:46:38.823793Z", "updated_at": "2026-04-10T02:00:03.113045Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group" ], "source_name": "MISPGALAXY:Roaming Mantis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3", "created_at": "2022-10-25T16:07:24.546437Z", "updated_at": "2026-04-10T02:00:05.029564Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group", "Shaoye" ], "source_name": "ETDA:Roaming Mantis", "tools": [ "MoqHao", "Roaming Mantis", "SmsSpy", "Wroba", "XLoader" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446662, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aabec17aaa648116bbc96b26abb5260541df74f1.pdf", "text": "https://archive.orkl.eu/aabec17aaa648116bbc96b26abb5260541df74f1.txt", "img": "https://archive.orkl.eu/aabec17aaa648116bbc96b26abb5260541df74f1.jpg" } }