{ "id": "5730cbdd-6ad1-4b96-a994-a610e40794a5", "created_at": "2026-04-06T01:30:56.597936Z", "updated_at": "2026-04-10T03:25:59.559885Z", "deleted_at": null, "sha1_hash": "eb022d195bd70f53e73e717dab07b154789d8094", "title": "Operation Silent Skimmer - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46744, "plain_text": "Operation Silent Skimmer - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-06 00:10:39 UTC\r\nHome \u003e List all groups \u003e Operation Silent Skimmer\r\n APT group: Operation Silent Skimmer\r\nNames Operation Silent Skimmer (BlackBerry)\r\nCountry [Unknown]\r\nMotivation Financial crime\r\nFirst seen 2022\r\nDescription\r\n(BlackBerry) BlackBerry has discovered a new campaign we’ve dubbed “Silent Skimmer,”\r\ninvolving a financially motivated threat actor targeting vulnerable online payment businesses\r\nin the APAC and NALA regions. The attacker compromises web servers, using vulnerabilities\r\nto gain initial access. The final payload deploys payment scraping mechanisms on\r\ncompromised websites to extract sensitive financial data from users.\r\nThe campaign has been active for over a year, and targets diverse industries that host or create\r\npayment infrastructure, such as online businesses and Point of Sales (POS) providers. We have\r\nuncovered evidence suggesting the threat actor is proficient in the Chinese language, and\r\noperates predominantly in the Asia-Pacific (APAC) region.\r\nObserved Countries: USA and Asia Pacific.\r\nTools used\r\nBadPotato, Cobalt Strike, GodPotato, Godzilla, JuicyPotato, PowerShell RAT, SharpToken,\r\nSweetPotato, Living off the Land.\r\nInformation\r\n\u003chttps://blogs.blackberry.com/en/2023/09/silent-skimmer-online-payment-scraping-campaign-shifts-targets-from-apac-to-nala\u003e\r\nLast change to this card: 12 October 2023\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=87ea63a4-70b1-49b3-80a3-7295c5f47ba9\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=87ea63a4-70b1-49b3-80a3-7295c5f47ba9\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=87ea63a4-70b1-49b3-80a3-7295c5f47ba9" ], "report_names": [ "showcard.cgi?u=87ea63a4-70b1-49b3-80a3-7295c5f47ba9" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ad98b6a9-78aa-4375-81c2-55ce04626812", "created_at": "2023-10-14T02:03:14.382189Z", "updated_at": "2026-04-10T02:00:04.836992Z", "deleted_at": null, "main_name": "Operation Silent Skimmer", "aliases": [], "source_name": "ETDA:Operation Silent Skimmer", "tools": [ "Agentemis", "BadPotato", "Cobalt Strike", "CobaltStrike", "GodPotato", "Godzilla", "Godzilla Loader", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "PowerShell RAT", "SharpToken", "SweetPotato", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439056, "ts_updated_at": 1775791559, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eb022d195bd70f53e73e717dab07b154789d8094.pdf", "text": "https://archive.orkl.eu/eb022d195bd70f53e73e717dab07b154789d8094.txt", "img": "https://archive.orkl.eu/eb022d195bd70f53e73e717dab07b154789d8094.jpg" } }