{ "id": "7dffdbd1-8136-497f-9648-993ae1f373e9", "created_at": "2026-04-06T00:19:56.757447Z", "updated_at": "2026-04-10T03:28:39.995492Z", "deleted_at": null, "sha1_hash": "c4e9c85ecca98eb5e5a81382b00d9918bb33955d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49205, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:12:28 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool AnubisSpy\n Tool: AnubisSpy\nNames AnubisSpy\nCategory Malware\nType Backdoor, Info stealer, Exfiltration\nDescription\n(Trend Micro) AnubisSpy can steal messages (SMS), photos, videos, contacts, email\naccounts, calendar events, and browser histories (i.e., Chrome and Samsung Internet\nBrowser). It can also take screenshots and record audio, including calls. It can spy on the\nvictim through apps installed on the device, a list of which is in its configuration file that\ncan be updated. This includes Skype, WhatsApp, Facebook, and Twitter, among others.\nAfter the data are collected, they are encrypted and sent to the (C\u0026C) server. AnubisSpy\ncan also self-destruct to cover its tracks. It can run commands and delete files on the\ndevice, as well as install and uninstall Android Application Packages (APKs).\nAnubisSpy has several modules, each of which has a separate role. AnubisSpy’s code is\nwell constructed, indicating the developer/s’ know-how.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 21 May 2020\nDownload this tool card in JSON format\nAll groups using tool AnubisSpy\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=808cf3ae-bce9-40a5-a4e9-14bb9c1c8424\nPage 1 of 2\n\nAPT groups\r\n  Sphinx [Unknown] 2014  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=808cf3ae-bce9-40a5-a4e9-14bb9c1c8424\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=808cf3ae-bce9-40a5-a4e9-14bb9c1c8424\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=808cf3ae-bce9-40a5-a4e9-14bb9c1c8424" ], "report_names": [ "listgroups.cgi?u=808cf3ae-bce9-40a5-a4e9-14bb9c1c8424" ], "threat_actors": [ { "id": "e90ec9cb-9959-455d-b558-4bafef64d645", "created_at": "2022-10-25T16:07:24.222081Z", "updated_at": "2026-04-10T02:00:04.903184Z", "deleted_at": null, "main_name": "Sphinx", "aliases": [ "APT-C-15" ], "source_name": "ETDA:Sphinx", "tools": [ "AnubisSpy", "Backdoor.Oldrea", "Bladabindi", "Fertger", "Havex", "Havex RAT", "Jorik", "Oldrea", "PEACEPIPE", "njRAT", "yellowalbatross" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434796, "ts_updated_at": 1775791719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c4e9c85ecca98eb5e5a81382b00d9918bb33955d.pdf", "text": "https://archive.orkl.eu/c4e9c85ecca98eb5e5a81382b00d9918bb33955d.txt", "img": "https://archive.orkl.eu/c4e9c85ecca98eb5e5a81382b00d9918bb33955d.jpg" } }