{ "id": "4842d27c-5031-4f11-bfb4-a587a2c86964", "created_at": "2026-04-06T00:09:26.274613Z", "updated_at": "2026-04-10T03:25:24.519708Z", "deleted_at": null, "sha1_hash": "d52b78fa6f9240ed819bb02802ff483350bf0727", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53166, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:50:14 UTC\n APT group: BlackOasis\nNames\nBlackOasis (Kaspersky)\nG0063 (MITRE)\nCountry [Middle East]\nMotivation Information theft and espionage\nFirst seen 2015\nDescription\nBlackOasis is a Middle Eastern threat group that is believed to be a customer of\nGamma Group. The group has shown interest in prominent figures in the United\nNations, as well as opposition bloggers, activists, regional news correspondents, and\nthink tanks. A group known by Microsoft as Neodymium is reportedly associated\nclosely with BlackOasis operations, but evidence that the group names are aliases\nhas not been identified.\nObserved\nSectors: Media, Think Tanks and activists and the UN.\nCountries: Afghanistan, Angola, Bahrain, Iran, Iraq, Jordan, Libya, Netherlands,\nNigeria, Russia, Saudi Arabia, Tunisia, UK.\nTools used FinFisher, Wingbird and 0-day vulnerabilities in Flash.\nOperations performed\nJun 2015\nLeveraging data from Kaspersky Security Network, we identified two\nother similar exploit chains used by BlackOasis in June 2015 which\nwere zero days at the time. Those include CVE-2015-5119 and CVE-2016-0984, which were patched in July 2015 and February 2016\nrespectively. These exploit chains also delivered FinSpy installation\npackages.\nMay 2016\nWe first became aware of BlackOasis’ activities in May 2016, while\ninvestigating another Adobe Flash zero day. On May 10, 2016, Adobe\nwarned of a vulnerability (CVE-2016-4117) affecting Flash Player\n21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and\nChrome OS. The vulnerability was actively being exploited in the\nwild.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7db7cd4f-ca76-4176-9d94-80429033ef49\nPage 1 of 2\n\nSep 2017\nFireEye recently detected a malicious Microsoft Office RTF document\nthat leveraged CVE-2017-8759, a SOAP WSDL parser code injection\nvulnerability. This vulnerability allows a malicious actor to inject\narbitrary code during the parsing of SOAP WSDL definition contents.\nOct 2017\nOn October 10, 2017, Kaspersky Lab’s advanced exploit prevention\nsystems identified a new Adobe Flash zero day exploit used in the\nwild against our customers. The exploit was delivered through a\nMicrosoft Office document and the final payload was the latest\nversion of FinSpy malware.\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7db7cd4f-ca76-4176-9d94-80429033ef49\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7db7cd4f-ca76-4176-9d94-80429033ef49\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7db7cd4f-ca76-4176-9d94-80429033ef49" ], "report_names": [ "showcard.cgi?u=7db7cd4f-ca76-4176-9d94-80429033ef49" ], "threat_actors": [ { "id": "10ad5c1d-5030-4300-be4e-6d24b40a6330", "created_at": "2022-10-25T16:07:23.400966Z", "updated_at": "2026-04-10T02:00:04.581114Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "G0063" ], "source_name": "ETDA:BlackOasis", "tools": [ "FinFisher", "FinFisher RAT", "FinSpy", "Wingbird" ], "source_id": "ETDA", "reports": null }, { "id": "27485543-d2e7-4053-a660-157489732cbb", "created_at": "2022-10-25T16:07:23.895403Z", "updated_at": "2026-04-10T02:00:04.781765Z", "deleted_at": null, "main_name": "Neodymium", "aliases": [ "G0055" ], "source_name": "ETDA:Neodymium", "tools": [ "Wingbird" ], "source_id": "ETDA", "reports": null }, { "id": "400a3efc-44a1-4d83-a724-cd16818328f9", "created_at": "2023-01-06T13:46:38.516115Z", "updated_at": "2026-04-10T02:00:03.008975Z", "deleted_at": null, "main_name": "NEODYMIUM", "aliases": [ "G0055" ], "source_name": "MISPGALAXY:NEODYMIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5200f27d-0d0a-49e9-a9de-9612971126c2", "created_at": "2023-01-06T13:46:38.959648Z", "updated_at": "2026-04-10T02:00:03.163547Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "G0063" ], "source_name": "MISPGALAXY:BlackOasis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1ba9c064-34d2-48b5-a08c-04d241b00ebe", "created_at": "2022-10-25T15:50:23.734241Z", "updated_at": "2026-04-10T02:00:05.404606Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "BlackOasis" ], "source_name": "MITRE:BlackOasis", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "c11cbeb5-461f-4bd8-a86b-f57e471a664d", "created_at": "2022-10-25T15:50:23.257383Z", "updated_at": "2026-04-10T02:00:05.414047Z", "deleted_at": null, "main_name": "NEODYMIUM", "aliases": [ "NEODYMIUM" ], "source_name": "MITRE:NEODYMIUM", "tools": [ "Wingbird" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434166, "ts_updated_at": 1775791524, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d52b78fa6f9240ed819bb02802ff483350bf0727.pdf", "text": "https://archive.orkl.eu/d52b78fa6f9240ed819bb02802ff483350bf0727.txt", "img": "https://archive.orkl.eu/d52b78fa6f9240ed819bb02802ff483350bf0727.jpg" } }