{ "id": "ea7ae0ea-897c-4cc6-b745-298250387cfc", "created_at": "2026-04-06T00:21:12.076646Z", "updated_at": "2026-04-10T13:11:55.611853Z", "deleted_at": null, "sha1_hash": "dda86125716ddcf0ac5656f0f5d6e7877a589b40", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52463, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:12:40 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WyrmSpy\r\n Tool: WyrmSpy\r\nNames\r\nWyrmSpy\r\nAndroidControl\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Credential stealer, Exfiltration\r\nDescription\r\n(Lookout) After it’s installed and launched, WyrmSpy uses known rooting tools to gain\r\nescalated privileges to the device and perform surveillance activities specified by commands\r\nreceived from its C2 servers. These commands include instructing the malware to upload log\r\nfiles, photos stored on the device, and acquire device location using the Baidu Location library.\r\nAlthough we were not able to acquire additional modules from the C2 infrastructure at the\r\ntime of discovery, we assess with high confidence that a secondary payload is used by the\r\nmalware to perform additional surveillance functionality. This is based on the permissions that\r\nWyrmSpy obtains but does not use in the code contained in the app, which indicates abilities to\r\nexfiltrate additional data, such as SMS and audio recordings.\r\nConfiguration files used by the malware to execute instructions received by the C2 further\r\nsupport this hypothesis, with references to “AudioRecord” and “Files” set to true or false\r\nbased on received commands.\r\nInformation\r\n\u003chttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/apk.wyrmspy\u003e\r\nLast change to this tool card: 30 November 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool WyrmSpy\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fc5f26a3-382f-498c-982d-b9a165c301bf\r\nPage 1 of 2\n\nAPT groups\r\n  APT 41 2012-Jul 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fc5f26a3-382f-498c-982d-b9a165c301bf\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fc5f26a3-382f-498c-982d-b9a165c301bf\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fc5f26a3-382f-498c-982d-b9a165c301bf" ], "report_names": [ "listgroups.cgi?u=fc5f26a3-382f-498c-982d-b9a165c301bf" ], "threat_actors": [ { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434872, "ts_updated_at": 1775826715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dda86125716ddcf0ac5656f0f5d6e7877a589b40.pdf", "text": "https://archive.orkl.eu/dda86125716ddcf0ac5656f0f5d6e7877a589b40.txt", "img": "https://archive.orkl.eu/dda86125716ddcf0ac5656f0f5d6e7877a589b40.jpg" } }