{ "id": "7430acfa-aee7-43ac-bed0-def5d00d6aa1", "created_at": "2026-04-06T00:15:28.422589Z", "updated_at": "2026-04-10T03:24:17.000006Z", "deleted_at": null, "sha1_hash": "dfac2a3b7ce3cb9eb745725797e07f4db56f734d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53795, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:08:55 UTC\r\n Other threat group: Circles\r\nNames Circles (real name)\r\nCountry Israel\r\nMotivation Financial gain\r\nFirst seen 2015\r\nDescription\r\n(Citizen Lab) Circles is a surveillance firm that reportedly exploits weaknesses in the global\r\nmobile phone system to snoop on calls, texts, and the location of phones around the globe.\r\nCircles is affiliated with NSO Group, which develops the oft-abused Pegasus spyware.\r\nCircles, whose products work without hacking the phone itself, says they sell only to nation-states. According to leaked documents, Circles customers can purchase a system that they\r\nconnect to their local telecommunications companies’ infrastructure, or can use a separate\r\nsystem called the “Circles Cloud,” which interconnects with telecommunications companies\r\naround the world.\r\nAccording to the U.S. Department of Homeland Security, all U.S. wireless networks are\r\nvulnerable to the types of weaknesses reportedly exploited by Circles. A majority of networks\r\naround the globe are similarly vulnerable.\r\nUsing Internet scanning, we found a unique signature associated with the hostnames of Check\r\nPoint firewalls used in Circles deployments. This scanning enabled us to identify Circles\r\ndeployments in at least 25 countries.\r\nWhile companies selling exploitation of the global cellular system tend to operate in secrecy,\r\none company has emerged as a known player: Circles. The company was reportedly founded\r\nin 2008, acquired in 2014 by Francisco Partners, and then merged with NSO Group. Circles is\r\nknown for selling systems to exploit SS7 vulnerabilities, and claims to sell this technology\r\nexclusively to nation-states.\r\nObserved\r\nCountries: Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia,\r\nEquatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico,\r\nMorocco, Nigeria, Peru, Serbia, Thailand, UAE, Vietnam, Zambia, Zimbabwe.\r\nTools used Circles.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=dfb0f411-b690-46b4-9e4d-4626687591c6\r\nPage 1 of 2\n\nInformation\nLast change to this card: 06 January 2021\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=dfb0f411-b690-46b4-9e4d-4626687591c6\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=dfb0f411-b690-46b4-9e4d-4626687591c6\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=dfb0f411-b690-46b4-9e4d-4626687591c6" ], "report_names": [ "showcard.cgi?u=dfb0f411-b690-46b4-9e4d-4626687591c6" ], "threat_actors": [ { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434528, "ts_updated_at": 1775791457, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dfac2a3b7ce3cb9eb745725797e07f4db56f734d.pdf", "text": "https://archive.orkl.eu/dfac2a3b7ce3cb9eb745725797e07f4db56f734d.txt", "img": "https://archive.orkl.eu/dfac2a3b7ce3cb9eb745725797e07f4db56f734d.jpg" } }