{ "id": "8590c95c-bccc-45e3-be9a-7e419f8814e6", "created_at": "2026-04-06T00:15:01.303603Z", "updated_at": "2026-04-10T03:33:22.480305Z", "deleted_at": null, "sha1_hash": "b004e931280fa4bdb6acb69f3ebd6bbc1659a8d4", "title": "Retefe Gang, Operation Emmental - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49859, "plain_text": "Retefe Gang, Operation Emmental - Threat Group Cards: A\nThreat Actor Encyclopedia\nArchived: 2026-04-05 22:52:06 UTC\nHome \u003e List all groups \u003e Retefe Gang, Operation Emmental\n Other threat group: Retefe Gang, Operation Emmental\nNames\nRetefe Gang (GovCERT.ch)\nOperation Emmental (Trend Micro)\nCountry Russia\nMotivation Financial crime\nFirst seen 2013\nDescription\n(GovCERT.ch) Surprisingly, there is a lot of media attention going on at the moment on a\nmacOS malware called OSX/Dok. In the recent weeks, various anti-virus vendors and security\nresearchers published blog posts on this threat, presenting their analysis and findings. While\nsome findings where very interesting, others were misleading or simply wrong.\nWe don’t know where the sudden media interest and the attention from anti-virus vendors on\nthis threat actor are coming from. As a matter of fact, the threat actor behind OSX/Dok, which\nwe call the the Retefe gang or Operation Emmental, has already been around for many years\nand GovCERT.ch is tracking their activities since the very beginning (2013). The purpose of\nthis blog post is to put the puzzle pieces together and trying to bust some of the myths that\nhave made the round in the media recently.\nObserved\nSectors: Financial.\nCountries: Austria, Germany, Japan, Romania, Sweden, Switzerland, Turkey, UK.\nTools used Citadel, Retefe, Retefe (Android), Tinba.\nInformation\nLast change to this card: 22 May 2020\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=58b1974b-2091-492a-901f-a25d9372d9a6\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=58b1974b-2091-492a-901f-a25d9372d9a6\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=58b1974b-2091-492a-901f-a25d9372d9a6\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=58b1974b-2091-492a-901f-a25d9372d9a6" ], "report_names": [ "showcard.cgi?u=58b1974b-2091-492a-901f-a25d9372d9a6" ], "threat_actors": [ { "id": "c6722d56-e5e7-4c5c-a5be-b7e01d4281b0", "created_at": "2022-10-25T16:07:24.542981Z", "updated_at": "2026-04-10T02:00:05.028606Z", "deleted_at": null, "main_name": "Retefe Gang", "aliases": [ "Operation Emmental", "Retefe Gang" ], "source_name": "ETDA:Retefe Gang", "tools": [ "Dok", "Illi", "Retefe", "Retefe (Android)", "Tina", "Tinba", "Tiny Banker", "TinyBanker", "Tsukuba", "Werdlod", "Zusy" ], "source_id": "ETDA", "reports": null }, { "id": "a8fba3fa-62bf-4fdb-92bb-29aa6375b92d", "created_at": "2024-02-08T02:00:04.329621Z", "updated_at": "2026-04-10T02:00:03.585503Z", "deleted_at": null, "main_name": "Operation Emmental", "aliases": [ "Retefe Gang", "Retefe Group" ], "source_name": "MISPGALAXY:Operation Emmental", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434501, "ts_updated_at": 1775792002, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b004e931280fa4bdb6acb69f3ebd6bbc1659a8d4.pdf", "text": "https://archive.orkl.eu/b004e931280fa4bdb6acb69f3ebd6bbc1659a8d4.txt", "img": "https://archive.orkl.eu/b004e931280fa4bdb6acb69f3ebd6bbc1659a8d4.jpg" } }