{
	"id": "3984d837-e371-41fd-965c-81c8ce865f15",
	"created_at": "2026-04-06T00:13:47.835841Z",
	"updated_at": "2026-04-10T03:29:07.536516Z",
	"deleted_at": null,
	"sha1_hash": "ada7422ec01d6725ff10caf15ba15b2b3a55edb9",
	"title": "Animals in the APT Farm",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1194507,
	"plain_text": "Animals in the APT Farm\r\nBy GReAT\r\nPublished: 2015-03-06 · Archived: 2026-04-05 21:52:36 UTC\r\nIn 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in\r\ncyberattacks in the wild.\r\nTwo of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the\r\npast few years, Animal Farm has targeted a wide range of global organizations. Victims include:\r\nGovernment organizations\r\nMilitary contractors\r\nHumanitarian aid organizations\r\nPrivate companies\r\nJournalists and media organizations\r\nActivists\r\nOur colleagues at Cyphort (http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/), G-DATA\r\nand ESET have recently published blogs about Bunny, Casper and Babar, some of the Trojans used by the Animal\r\nFarm group.\r\nThe Farm includes several Trojans, which we have grouped into six major families:\r\nhttps://securelist.com/animals-in-the-apt-farm/69114/\r\nPage 1 of 5\n\nHere’s a brief description of the animals in the farm:\r\nBunny – an old “validator”-style Trojan used with a PDF zero-day attack in 2011.\r\nDino – a full-featured espionage platform.\r\nBabar – the most sophisticated espionage platform from the Animal Farm group.\r\nNBot – malware used in a botnet-style operation by the group. It has DDoS capabilities.\r\nTafacalou – a validator-style Trojan used by the attackers in recent years. Confirmed victims get upgraded\r\nto Dino or Babar.\r\nCasper – the most recent “validator”-style implant from the Animal Farm group.\r\nThe group has been active since at least 2009 and there are signs that earlier malware versions  were developed as\r\nfar back as 2007.\r\nOver the years we have tracked multiple campaigns by the Animal Farm group. These can be identified by a\r\nspecific code found either in the malware configuration or extracted from the C\u0026C logs.\r\nhttps://securelist.com/animals-in-the-apt-farm/69114/\r\nPage 2 of 5\n\nMost recently, the group deployed the Casper Trojan via a watering-hole attack in Syria. A full description of this\r\nzero-day attack can be found in this blog post by Kaspersky Lab’s Vyacheslav Zakorzhevsky.\r\nIn addition to these, the Animal Farm attackers used at least one unknown, mysterious malware during an\r\noperation targeting computer users in Burkina Faso.\r\nKSN \u0026 Sinkholing statistics\r\nDuring the investigation we sinkholed a large number of C\u0026C servers used by the Animal Farm group. This\r\nallowed us to compile a comprehensive picture of both targets and victims.\r\nThe malware known as Tafacalou (aka “TFC”, “Transporter”) is perhaps of greatest interest here, because it acts\r\nas an entry point for the more sophisticated spy platforms Babar and Dino. Based on the Tafacalou infection logs,\r\nwe observed that most of the victims are in the following countries: Syria, Iran, Malaysia, USA, China, Turkey,\r\nNetherlands, Germany, Great Britain, Russia, Sweden, Austria, Algeria, Israel, Iraq, Morocco, New Zealand,\r\nUkraine.\r\nhttps://securelist.com/animals-in-the-apt-farm/69114/\r\nPage 3 of 5\n\nWhat does “Tafacalou” mean?\r\n“Tafacalou” is the attacker’s internal name for one of the validator (1st stage) Trojans. We tried various spellings\r\nof this word to see if it means anything in a specific language, and the most interesting option is one with its\r\norigins in the Occitan language: “Ta Fa Calou.”\r\nThe expression “Fa Calou” is the French interpretation of the Occitane “Fa Calor” which means “it’s getting hot”\r\n(see http://ejournaux.blogspot.com/2008/07/la-langue-occitane-et-ses-quelques.html). ‘Ta Fa Calou” could\r\ntherefore be taken to mean “so it’s getting hot” based on the Occitan language.\r\nAccording to Wikipedia: ‘Occitan is a Romance language spoken in southern France, Italy’s Occitan Valleys,\r\nMonaco, and Spain’s Val d’Aran; collectively, these regions are sometimes referred to unofficially as “Occitania”.\r\nNote: A detailed technical report on Animal Farm is available to customers of Kaspersky Intelligent Services. \r\nFor more information, contact intelreports@kaspersky.com\r\nhttps://securelist.com/animals-in-the-apt-farm/69114/\r\nPage 4 of 5\n\nSource: https://securelist.com/animals-in-the-apt-farm/69114/\r\nhttps://securelist.com/animals-in-the-apt-farm/69114/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/animals-in-the-apt-farm/69114/"
	],
	"report_names": [
		"69114"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e09a7338-fb16-4e39-b579-c3bfc3140c47",
			"created_at": "2022-10-25T16:07:24.207294Z",
			"updated_at": "2026-04-10T02:00:04.899166Z",
			"deleted_at": null,
			"main_name": "Snowglobe",
			"aliases": [
				"ATK 8",
				"Animal Farm",
				"SIG20",
				"Snowglobe"
			],
			"source_name": "ETDA:Snowglobe",
			"tools": [
				"Babar",
				"Casper",
				"Chocopop",
				"Dino",
				"EvilBunny",
				"Nbot",
				"TFC",
				"Tafacalou"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "548a4081-aa8f-4e2a-bcb3-0c9dfa61944f",
			"created_at": "2023-01-06T13:46:38.443779Z",
			"updated_at": "2026-04-10T02:00:02.977564Z",
			"deleted_at": null,
			"main_name": "SNOWGLOBE",
			"aliases": [
				"Animal Farm",
				"Snowglobe",
				"ATK8"
			],
			"source_name": "MISPGALAXY:SNOWGLOBE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434427,
	"ts_updated_at": 1775791747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ada7422ec01d6725ff10caf15ba15b2b3a55edb9.pdf",
		"text": "https://archive.orkl.eu/ada7422ec01d6725ff10caf15ba15b2b3a55edb9.txt",
		"img": "https://archive.orkl.eu/ada7422ec01d6725ff10caf15ba15b2b3a55edb9.jpg"
	}
}