{
	"id": "1781070f-7c31-4092-bc91-d595963e81d1",
	"created_at": "2026-04-06T00:19:33.731076Z",
	"updated_at": "2026-04-10T13:12:59.129241Z",
	"deleted_at": null,
	"sha1_hash": "d6b8e6a1148f3d69639ff9cb9e23471d101f1b44",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51336,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:43:22 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Scotch\n Tool: Scotch\nNames Scotch\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Exfiltration, Downloader\nDescription\n(Citizen Lab) The ultimate spyware tool deployed by MOONSHINE, Scotch, is a modular\nJava application which uses the WebSocket protocol to communicate with its C2 server. The\nScotch payload itself has limited espionage features, such as obtaining device information and\nuploading files from the infected device. However, as part of its initial contact with the C2,\nScotch downloads additional plugins. During our analysis, we were able to acquire two plugin\npackages, named “Bourbon.jar” and “IceCube.jar” which added functionality including\nexfiltrating SMS text messages, address books, and call logs, and spying on the target through\ntheir phone’s camera, microphone, and GPS.\nInformation\nLast change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool Scotch\nChanged Name Country Observed\nAPT groups\n Poison Carp, Evil Eye 2018-Jun 2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8a258c41-a89e-44d0-b1e4-d27ed074cd21\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8a258c41-a89e-44d0-b1e4-d27ed074cd21\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8a258c41-a89e-44d0-b1e4-d27ed074cd21"
	],
	"report_names": [
		"listgroups.cgi?u=8a258c41-a89e-44d0-b1e4-d27ed074cd21"
	],
	"threat_actors": [
		{
			"id": "f0ebaf6d-5e1a-4ed7-aa2c-0e69a648acea",
			"created_at": "2022-10-25T16:07:23.597455Z",
			"updated_at": "2026-04-10T02:00:04.683154Z",
			"deleted_at": null,
			"main_name": "Evil Eye",
			"aliases": [],
			"source_name": "ETDA:Evil Eye",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe",
			"created_at": "2023-01-06T13:46:39.056888Z",
			"updated_at": "2026-04-10T02:00:03.198866Z",
			"deleted_at": null,
			"main_name": "POISON CARP",
			"aliases": [
				"Evil Eye",
				"Red Dev 16",
				"Earth Empusa"
			],
			"source_name": "MISPGALAXY:POISON CARP",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574",
			"created_at": "2022-10-25T16:07:24.064197Z",
			"updated_at": "2026-04-10T02:00:04.856578Z",
			"deleted_at": null,
			"main_name": "Poison Carp",
			"aliases": [
				"Earth Empusa",
				"Evil Eye",
				"EvilBamboo",
				"Poison Carp",
				"Red Dev 16",
				"Sentinel Taurus"
			],
			"source_name": "ETDA:Poison Carp",
			"tools": [
				"ActionSpy",
				"AxeSpy",
				"BADSIGNAL",
				"BADSOLAR",
				"BadBazaar",
				"IRONSQUIRREL",
				"IceCube",
				"MOONSHINE",
				"PoisonCarp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434773,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6b8e6a1148f3d69639ff9cb9e23471d101f1b44.pdf",
		"text": "https://archive.orkl.eu/d6b8e6a1148f3d69639ff9cb9e23471d101f1b44.txt",
		"img": "https://archive.orkl.eu/d6b8e6a1148f3d69639ff9cb9e23471d101f1b44.jpg"
	}
}