{
	"id": "f210c74c-8ae5-46f6-9f62-b90c3b468534",
	"created_at": "2026-04-06T00:14:39.601385Z",
	"updated_at": "2026-04-10T03:32:50.083224Z",
	"deleted_at": null,
	"sha1_hash": "cb320090c4475910a899655713916bf73f158dca",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44720,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:52:36 UTC\n APT group: Sphinx\nNames\nSphinx (Qihoo 360)\nAPT-C-15 (Qihoo 360)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2014\nDescription\n(Qihoo 360) Operation Sphinx is a cyber-espionage activity in the Middle East. The main\nvictims are political and military organizations in Egypt, Israel and possibly other countries.\nSensitive data theft is what the attackers plotted for during the period from June, 2014 to\nNovember, 2015 when the activity was in its prime. We encountered some timestamps of the\nsamples to be as early as December, 2011 which suggests the attack might be started much\nearlier, though further sound proof is needed. The main approach of Sphinx is watering hole\nattack on social web sites. Until now, we have obtained 314 pieces of sample malicious codes\nand 7 C2 domains.\nObserved Countries: Egypt, Israel.\nTools used AnubisSpy, Havex RAT, njRAT, ROCK.\nInformation\nLast change to this card: 21 May 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5430a5f5-1144-4956-8668-7279648ac6cd\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5430a5f5-1144-4956-8668-7279648ac6cd\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5430a5f5-1144-4956-8668-7279648ac6cd"
	],
	"report_names": [
		"showcard.cgi?u=5430a5f5-1144-4956-8668-7279648ac6cd"
	],
	"threat_actors": [
		{
			"id": "e90ec9cb-9959-455d-b558-4bafef64d645",
			"created_at": "2022-10-25T16:07:24.222081Z",
			"updated_at": "2026-04-10T02:00:04.903184Z",
			"deleted_at": null,
			"main_name": "Sphinx",
			"aliases": [
				"APT-C-15"
			],
			"source_name": "ETDA:Sphinx",
			"tools": [
				"AnubisSpy",
				"Backdoor.Oldrea",
				"Bladabindi",
				"Fertger",
				"Havex",
				"Havex RAT",
				"Jorik",
				"Oldrea",
				"PEACEPIPE",
				"njRAT",
				"yellowalbatross"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28",
			"created_at": "2023-01-06T13:46:38.39927Z",
			"updated_at": "2026-04-10T02:00:02.958273Z",
			"deleted_at": null,
			"main_name": "ENERGETIC BEAR",
			"aliases": [
				"BERSERK BEAR",
				"ALLANITE",
				"Group 24",
				"Koala Team",
				"G0035",
				"ATK6",
				"ITG15",
				"DYMALLOY",
				"TG-4192",
				"Crouching Yeti",
				"Havex",
				"IRON LIBERTY",
				"Blue Kraken",
				"Ghost Blizzard"
			],
			"source_name": "MISPGALAXY:ENERGETIC BEAR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434479,
	"ts_updated_at": 1775791970,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb320090c4475910a899655713916bf73f158dca.pdf",
		"text": "https://archive.orkl.eu/cb320090c4475910a899655713916bf73f158dca.txt",
		"img": "https://archive.orkl.eu/cb320090c4475910a899655713916bf73f158dca.jpg"
	}
}