{
	"id": "a86fe28e-3c37-4176-8488-8b6df88cdf44",
	"created_at": "2026-04-06T15:52:36.700785Z",
	"updated_at": "2026-04-10T03:26:47.907533Z",
	"deleted_at": null,
	"sha1_hash": "d0910325b0250a4a3f003010f9882a8de8adfbdd",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54905,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 15:40:03 UTC\n APT group: Group5\nNames\nGroup5 (Citizen Lab)\nG0043 (MITRE)\nCountry Iran\nSponsor State-sponsored\nMotivation Information theft and espionage\nFirst seen 2015\nDescription\n(SecurityWeek) A threat actor using Iranian-language tools, Iranian hosting companies,\noperating from the Iranian IP space at times was observed targeting the Syrian\nopposition in an elaborately staged malware operation, Citizen Lab researchers reveal.\nThe operation was first noticed in late 2015, when a member of the Syrian opposition\nflagged a suspicious email containing a PowerPoint slideshow, which led researchers to\na watering hole website with malicious programs, malicious PowerPoint files, and\nAndroid malware.\nThe threat actor was targeting Windows and Android devices of well-connected\nindividuals in the Syrian opposition, researchers discovered. They called the actor\nGroup5, because it targets Syrian opposition after regime-linked malware groups, the\nSyrian Electronic Army (SEA), Deadeye Jackal, ISIS (also known as the Islamic State\nor ISIL), and a group linked to Lebanon did the same in the past.\nObserved Countries: Syria.\nTools used DroidJack, NanoCore RAT, njRAT.\nInformation MITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=316b9d45-f67a-4595-bdf3-5137489fb3c5\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=316b9d45-f67a-4595-bdf3-5137489fb3c5\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=316b9d45-f67a-4595-bdf3-5137489fb3c5\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=316b9d45-f67a-4595-bdf3-5137489fb3c5"
	],
	"report_names": [
		"showcard.cgi?u=316b9d45-f67a-4595-bdf3-5137489fb3c5"
	],
	"threat_actors": [
		{
			"id": "9aa9b489-a297-4dbd-8601-8fc0370201a6",
			"created_at": "2022-10-25T16:07:23.696796Z",
			"updated_at": "2026-04-10T02:00:04.71508Z",
			"deleted_at": null,
			"main_name": "Group5",
			"aliases": [
				"G0043"
			],
			"source_name": "ETDA:Group5",
			"tools": [
				"Atros2.CKPN",
				"Bladabindi",
				"DroidJack",
				"Jorik",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Zurten",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2f498e6b-3f0e-4f26-8cc7-52121e675643",
			"created_at": "2023-01-06T13:46:38.447274Z",
			"updated_at": "2026-04-10T02:00:02.978901Z",
			"deleted_at": null,
			"main_name": "Deadeye Jackal",
			"aliases": [
				"SyrianElectronicArmy"
			],
			"source_name": "MISPGALAXY:Deadeye Jackal",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cf0704ab-99e4-44d7-96d9-3cba91339229",
			"created_at": "2022-10-25T15:50:23.485375Z",
			"updated_at": "2026-04-10T02:00:05.332806Z",
			"deleted_at": null,
			"main_name": "Group5",
			"aliases": [
				"Group5"
			],
			"source_name": "MITRE:Group5",
			"tools": [
				"njRAT",
				"NanoCore"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "094d8210-4c64-4457-ad97-a94fc7af7630",
			"created_at": "2023-01-06T13:46:38.98103Z",
			"updated_at": "2026-04-10T02:00:03.170376Z",
			"deleted_at": null,
			"main_name": "Group5",
			"aliases": [
				"G0043"
			],
			"source_name": "MISPGALAXY:Group5",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "76fc6d92-0710-4640-bfa7-3000fe3940a5",
			"created_at": "2022-10-25T16:07:24.251595Z",
			"updated_at": "2026-04-10T02:00:04.911951Z",
			"deleted_at": null,
			"main_name": "Syrian Electronic Army (SEA)",
			"aliases": [
				"ATK 196",
				"Deadeye Jackal",
				"Syria Malware Team",
				"Syrian Electronic Army",
				"TAG-CT2"
			],
			"source_name": "ETDA:Syrian Electronic Army (SEA)",
			"tools": [
				"AndoServer",
				"CypherRat",
				"SLRat",
				"SandroRAT",
				"SilverHawk",
				"SpyNote",
				"SpyNote RAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775490756,
	"ts_updated_at": 1775791607,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0910325b0250a4a3f003010f9882a8de8adfbdd.pdf",
		"text": "https://archive.orkl.eu/d0910325b0250a4a3f003010f9882a8de8adfbdd.txt",
		"img": "https://archive.orkl.eu/d0910325b0250a4a3f003010f9882a8de8adfbdd.jpg"
	}
}