{ "id": "8b627046-8558-4cbb-bd1b-c21fcf970f08", "created_at": "2026-04-06T00:12:02.764269Z", "updated_at": "2026-04-10T13:11:25.665066Z", "deleted_at": null, "sha1_hash": "ccd25e026e6ddd70f432d5821e811534ba673cbd", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55866, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:43:36 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Rana\r\n Tool: Rana\r\nNames Rana\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\r\nDescription\r\n(ReversingLabs) In today’s world, the most valuable source of such information are\r\nsmartphones. You carry a smartphone almost the entire time, and, besides being the main tool\r\nfor everyday communication, smartphones also provide a large set of secondary\r\nfunctionalities, including visual and audio recording and location services. Because of all these\r\ncapabilities, gaining control over someone’s smartphone provides the malicious actor with a\r\npowerful espionage tool. For these reasons, we decided to take a better look at the information\r\nand IOCs provided in the referenced report to see if there is anything more to be found about\r\nthis Android malware.\r\nInformation \u003chttps://blog.reversinglabs.com/blog/rana-android-malware\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/apk.rana\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Rana\r\nChanged Name Country Observed\r\nAPT groups\r\n  Chafer, APT 39 2014-Sep 2020\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3292c11b-11db-4b78-8347-c6f341127ff1\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3292c11b-11db-4b78-8347-c6f341127ff1\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3292c11b-11db-4b78-8347-c6f341127ff1\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3292c11b-11db-4b78-8347-c6f341127ff1" ], "report_names": [ "listgroups.cgi?u=3292c11b-11db-4b78-8347-c6f341127ff1" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434322, "ts_updated_at": 1775826685, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ccd25e026e6ddd70f432d5821e811534ba673cbd.pdf", "text": "https://archive.orkl.eu/ccd25e026e6ddd70f432d5821e811534ba673cbd.txt", "img": "https://archive.orkl.eu/ccd25e026e6ddd70f432d5821e811534ba673cbd.jpg" } }