{ "id": "f420130c-cdec-45b9-a75a-f6589c71c538", "created_at": "2026-04-06T00:11:07.482218Z", "updated_at": "2026-04-10T03:35:27.538172Z", "deleted_at": null, "sha1_hash": "dee013391087048fd78040b50d4cfd754184b7e9", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52314, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:32:54 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PoisonCarp\n Tool: PoisonCarp\nNames\nPoisonCarp\nINSOMNIA\nCategory Malware\nType Backdoor, Info stealer, Exfiltration\nDescription\n(Citizen Lab) We observed POISON CARP employing a total of eight Android browser\nexploits and one Android spyware kit, as well as one iOS exploit chain and iOS spyware. None\nof the exploits that we observed were zero days. POISON CARP overlaps with two recently\nreported campaigns against the Uyghur community. The iOS exploit and spyware we observed\nwas used in watering hole attacks reported by Google Project Zero, and a website used to serve\nexploits by POISON CARP was also observed in a campaign called “Evil Eye” reported by\nVolexity. The Android malware used in the campaign is a fully featured spyware kit that has\nnot been previously documented.\nInformation\nMalpedia Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool PoisonCarp\nChanged Name Country Observed\nAPT groups\n Poison Carp, Evil Eye 2018-Jun 2023\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bdbce19d-0720-408e-99b9-d56d5df7c1e3\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bdbce19d-0720-408e-99b9-d56d5df7c1e3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bdbce19d-0720-408e-99b9-d56d5df7c1e3\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bdbce19d-0720-408e-99b9-d56d5df7c1e3" ], "report_names": [ "listgroups.cgi?u=bdbce19d-0720-408e-99b9-d56d5df7c1e3" ], "threat_actors": [ { "id": "f0ebaf6d-5e1a-4ed7-aa2c-0e69a648acea", "created_at": "2022-10-25T16:07:23.597455Z", "updated_at": "2026-04-10T02:00:04.683154Z", "deleted_at": null, "main_name": "Evil Eye", "aliases": [], "source_name": "ETDA:Evil Eye", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe", "created_at": "2023-01-06T13:46:39.056888Z", "updated_at": "2026-04-10T02:00:03.198866Z", "deleted_at": null, "main_name": "POISON CARP", "aliases": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ], "source_name": "MISPGALAXY:POISON CARP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574", "created_at": "2022-10-25T16:07:24.064197Z", "updated_at": "2026-04-10T02:00:04.856578Z", "deleted_at": null, "main_name": "Poison Carp", "aliases": [ "Earth Empusa", "Evil Eye", "EvilBamboo", "Poison Carp", "Red Dev 16", "Sentinel Taurus" ], "source_name": "ETDA:Poison Carp", "tools": [ "ActionSpy", "AxeSpy", "BADSIGNAL", "BADSOLAR", "BadBazaar", "IRONSQUIRREL", "IceCube", "MOONSHINE", "PoisonCarp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434267, "ts_updated_at": 1775792127, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dee013391087048fd78040b50d4cfd754184b7e9.pdf", "text": "https://archive.orkl.eu/dee013391087048fd78040b50d4cfd754184b7e9.txt", "img": "https://archive.orkl.eu/dee013391087048fd78040b50d4cfd754184b7e9.jpg" } }