{
	"id": "7be81a94-99d4-461e-83fb-74b950aa50cf",
	"created_at": "2026-04-06T00:09:10.768516Z",
	"updated_at": "2026-04-10T03:30:32.915522Z",
	"deleted_at": null,
	"sha1_hash": "ba36e18aae1808367c49f70383f3ea4e07607529",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46709,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:04:20 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Antidot\n Tool: Antidot\nNames Antidot\nCategory Malware\nType Banking trojan\nDescription\n(Cyble) A new Android Banking Trojan, “Antidot,” masquerading as a Google Play update\napplication, displays fake Google Play update pages in multiple languages, indicating a wide\nrange of targets.\nAntidot incorporates a range of malicious features, including overlay attacks and keylogging,\nallowing it to compromise devices and harvest sensitive information.\nAntidot maintains communication with its Command and Control (C\u0026C) server through\nWebSocket, enabling real-time, bidirectional interaction for executing commands.\nThe malware executes a wide range of commands received from the C\u0026C server, including\ncollecting SMS messages, initiating USSD requests, and even remotely controlling device\nfeatures such as the camera and screen lock.\nAntidot implemented VNC using MediaProjection to remotely control infected devices.\nInformation\nLast change to this tool card: 18 June 2024\nDownload this tool card in JSON format\nAll groups using tool Antidot\nChanged Name Country Observed\nUnknown groups\n _[ Interesting malware not linked to an actor yet ]_\n1 group listed (0 APT, 0 other, 1 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=71f41a69-551a-482c-a76d-5010afedc665\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=71f41a69-551a-482c-a76d-5010afedc665\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=71f41a69-551a-482c-a76d-5010afedc665\r\nPage 2 of 2\n\nUnknown groups _[ Interesting malware not linked to an actor yet ]_\n1 group listed (0 APT, 0 other, 1 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=71f41a69-551a-482c-a76d-5010afedc665"
	],
	"report_names": [
		"listgroups.cgi?u=71f41a69-551a-482c-a76d-5010afedc665"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434150,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba36e18aae1808367c49f70383f3ea4e07607529.pdf",
		"text": "https://archive.orkl.eu/ba36e18aae1808367c49f70383f3ea4e07607529.txt",
		"img": "https://archive.orkl.eu/ba36e18aae1808367c49f70383f3ea4e07607529.jpg"
	}
}