{ "id": "a7ca13ff-be7e-4ecf-a06e-5d82ad5c3d07", "created_at": "2026-04-06T00:09:51.45437Z", "updated_at": "2026-04-10T13:12:47.547435Z", "deleted_at": null, "sha1_hash": "b3ad9c6824b534c88362516391550d14779f0f7a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50603, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:25:12 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BlackRock\r\n Tool: BlackRock\r\nNames\r\nBlackRock\r\nAmpleBot\r\nCategory Malware\r\nType\r\nReconnaissance, Backdoor, Banking trojan, Keylogger, Info stealer, Credential stealer,\r\nExfiltration\r\nDescription\r\n(ThreatFabric) Around May 2020 ThreatFabric analysts have uncovered a new strain of banking\r\nmalware dubbed BlackRock that looked pretty familiar. After investigation, it became clear that\r\nthis newcomer is derived from the code of the Xerxes banking malware, which itself is a strain\r\nof the LokiBot Android banking Trojan. The source code of the Xerxes malware was made\r\npublic by its author around May 2019, which means that it is accessible to any threat actor.\r\nTechnical aspects aside, one of the interesting differentiators of BlackRock is its target list; it\r\ncontains an important number of social, networking, communication and dating applications. So\r\nfar, many of those applications haven't been observed in target lists for other existing banking\r\nTrojans. It therefore seems that the actors behind BlackRock are trying to abuse the grow in\r\nonline socializing that increased rapidly in the last months due to the pandemic situation.\r\nBlackRock offers a quite common set of capabilities compared to average Android banking\r\nTrojans. It can perform the infamous overlay attacks, send, spam and steal SMS messages, lock\r\nthe victim in the launcher activity (HOME screen of the device), steal and hide notifications,\r\ndeflect usage of Antivirus software on the device and act as a keylogger. Interestingly, the\r\nXerxes Trojan itself offers more features, but it seems that actors have removed some of them in\r\norder to only keep those that they consider useful to steal personal information.\r\nNote: This malware was initially named BlackRock and later renamed to AmpleBot.\r\nInformation\r\n\u003chttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\u003e\r\n\u003chttps://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html\u003e\r\n\u003chttps://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/apk.amplebot\u003e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8d0ec018-69e1-4f6e-b7ef-b35e6a0dec39\r\nPage 1 of 2\n\nLast change to this tool card: 29 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool BlackRock\r\nChanged Name Country Observed\r\nUnknown groups\r\n  _[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8d0ec018-69e1-4f6e-b7ef-b35e6a0dec39\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8d0ec018-69e1-4f6e-b7ef-b35e6a0dec39\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8d0ec018-69e1-4f6e-b7ef-b35e6a0dec39" ], "report_names": [ "listgroups.cgi?u=8d0ec018-69e1-4f6e-b7ef-b35e6a0dec39" ], "threat_actors": [], "ts_created_at": 1775434191, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b3ad9c6824b534c88362516391550d14779f0f7a.pdf", "text": "https://archive.orkl.eu/b3ad9c6824b534c88362516391550d14779f0f7a.txt", "img": "https://archive.orkl.eu/b3ad9c6824b534c88362516391550d14779f0f7a.jpg" } }