{
	"id": "94b7ad7b-312d-475d-8198-582a450e9ef3",
	"created_at": "2026-04-06T00:21:28.951824Z",
	"updated_at": "2026-04-10T13:11:48.001811Z",
	"deleted_at": null,
	"sha1_hash": "e3d03faf103cdd35e5d364e674e917aada3e38a2",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49263,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:52:06 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SpyC23\n Tool: SpyC23\nNames SpyC23\nCategory Malware\nType Backdoor, Info stealer, Downloader, Exfiltration\nDescription\n(SentinelLabs) The Arid Viper group has a long history of using mobile malware,\nincluding at least four Android spyware families and one short-lived iOS implant,\nPhenakite. The SpyC23 Android malware family has existed since at least 2019, though\nshared code between the Arid Viper spyware families dates back to 2017. It was first\nreported in 2020 by ESET in a campaign where the actor used a third-party app store to\ndistribute weaponized Android packages (APK). That campaign featured several apps\ndesigned to mimic Telegram and Android application update managers.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 28 June 2025\nDownload this tool card in JSON format\nAll groups using tool SpyC23\nChanged Name Country Observed\nAPT groups\n Desert Falcons [Gaza] 2011-Oct 2023\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=db9dd5bc-425f-4dfe-ace8-a0e62afbb1f3\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=db9dd5bc-425f-4dfe-ace8-a0e62afbb1f3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=db9dd5bc-425f-4dfe-ace8-a0e62afbb1f3\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=db9dd5bc-425f-4dfe-ace8-a0e62afbb1f3"
	],
	"report_names": [
		"listgroups.cgi?u=db9dd5bc-425f-4dfe-ace8-a0e62afbb1f3"
	],
	"threat_actors": [
		{
			"id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d",
			"created_at": "2022-10-25T16:07:23.539852Z",
			"updated_at": "2026-04-10T02:00:04.647734Z",
			"deleted_at": null,
			"main_name": "Desert Falcons",
			"aliases": [
				"APT-C-23",
				"ATK 66",
				"Arid Viper",
				"Niobium",
				"Operation Arid Viper",
				"Operation Bearded Barbie",
				"Operation Rebound",
				"Pinstripe Lightning",
				"Renegade Jackal",
				"TAG-63",
				"TAG-CT1",
				"Two-tailed Scorpion"
			],
			"source_name": "ETDA:Desert Falcons",
			"tools": [
				"AridSpy",
				"Barb(ie) Downloader",
				"BarbWire",
				"Desert Scorpion",
				"FrozenCell",
				"GlanceLove",
				"GnatSpy",
				"KasperAgent",
				"Micropsia",
				"PyMICROPSIA",
				"SpyC23",
				"Viper RAT",
				"ViperRAT",
				"VolatileVenom",
				"WinkChat",
				"android.micropsia"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b1979c55-037a-415f-b0a3-cab7933f5cd4",
			"created_at": "2024-04-24T02:00:49.561432Z",
			"updated_at": "2026-04-10T02:00:05.416794Z",
			"deleted_at": null,
			"main_name": "APT-C-23",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"TAG-63",
				"Grey Karkadann",
				"Big Bang APT",
				"Two-tailed Scorpion"
			],
			"source_name": "MITRE:APT-C-23",
			"tools": [
				"Micropsia"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "929d794b-0e1d-4d10-93a6-29408a527cc2",
			"created_at": "2023-01-06T13:46:38.70844Z",
			"updated_at": "2026-04-10T02:00:03.075002Z",
			"deleted_at": null,
			"main_name": "AridViper",
			"aliases": [
				"Desert Falcon",
				"Arid Viper",
				"APT-C-23",
				"Bearded Barbie",
				"Two-tailed Scorpion"
			],
			"source_name": "MISPGALAXY:AridViper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b",
			"created_at": "2025-08-07T02:03:24.53077Z",
			"updated_at": "2026-04-10T02:00:03.680525Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SARATOGA",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"Extreme Jackal ",
				"Gaza Cybergang",
				"Molerats ",
				"Operation DustySky ",
				"TA402"
			],
			"source_name": "Secureworks:ALUMINUM SARATOGA",
			"tools": [
				"BlackShades",
				"BrittleBush",
				"DarkComet",
				"LastConn",
				"Micropsia",
				"NimbleMamba",
				"PoisonIvy",
				"QuasarRAT",
				"XtremeRat"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "35b3e533-7483-4f07-894e-2bb3ac855207",
			"created_at": "2025-08-07T02:03:24.540035Z",
			"updated_at": "2026-04-10T02:00:03.69627Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SHADYSIDE",
			"aliases": [
				"APT-C-23 ",
				"Arid Viper ",
				"Desert Falcon "
			],
			"source_name": "Secureworks:ALUMINUM SHADYSIDE",
			"tools": [
				"Micropsia",
				"SpyC23"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434888,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3d03faf103cdd35e5d364e674e917aada3e38a2.pdf",
		"text": "https://archive.orkl.eu/e3d03faf103cdd35e5d364e674e917aada3e38a2.txt",
		"img": "https://archive.orkl.eu/e3d03faf103cdd35e5d364e674e917aada3e38a2.jpg"
	}
}