{
	"id": "c92bbdc2-d866-4a5c-91e5-262585956f6f",
	"created_at": "2026-04-06T00:06:10.67507Z",
	"updated_at": "2026-04-10T03:35:53.692632Z",
	"deleted_at": null,
	"sha1_hash": "eb63c416d835e845d87ac5ae897b976ea93d2fd3",
	"title": "Wild Neutron, Butterfly, Sphinx Moth",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58332,
	"plain_text": "Wild Neutron, Butterfly, Sphinx Moth\r\nArchived: 2026-04-02 11:32:58 UTC\r\nHome \u003e List all groups \u003e Wild Neutron, Butterfly, Sphinx Moth\r\n APT group: Wild Neutron, Butterfly, Sphinx Moth\r\nNames\r\nWild Neutron (Kaspersky)\r\nButterfly (Symantec)\r\nMorpho (Symantec)\r\nSphinx Moth (Kudeslski)\r\nThe Postal Group (CERT Polska)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription\r\n(Symantec) A corporate espionage group has compromised a string of major\r\ncorporations over the past three years in order to steal confidential information and\r\nintellectual property. The gang, which Symantec calls Butterfly, is not-state\r\nsponsored, rather financially motivated. It has attacked multi-billion dollar\r\ncompanies operating in the internet, IT software, pharmaceutical, and commodities\r\nsectors. Twitter, Facebook, Apple, and Microsoft are among the companies who\r\nhave publicly acknowledged attacks.\r\nButterfly is technically proficient and well resourced. The group has developed a\r\nsuite of custom malware tools capable of attacking both Windows and Apple\r\ncomputers, and appears to have used at least one zero-day vulnerability in its attacks.\r\nIt keeps a low profile and maintains good operational security. After successfully\r\ncompromising a target organization, it cleans up after itself before moving on to its\r\nnext target.\r\nThis group operates at a much higher level than the average cybercrime gang. It is\r\nnot interested in stealing credit card details or customer databases and is instead\r\nfocused on high-level corporate information. Butterfly may be selling this\r\ninformation to the highest bidder or may be operating as hackers for hire. Stolen\r\ninformation could also be used for insider-trading purposes.\r\nObserved Sectors: Financial, Healthcare, IT and Bitcoin-related companies, Investment\r\ncompanies, Real estate, lawyers and individual users.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=00884ba1-39b4-4b67-bc3c-21167524f868\r\nPage 1 of 2\n\nCountries: Algeria, Australia, Austria, Canada, France, Germany, Kazakhstan,\nPalestine, Poland, Russia, Slovenia, Spain, Switzerland, UAE, UK, USA.\nTools used HesperBot, JripBot and many 0-days vulnerabilities.\nOperations performed\nJan 2013\nAttack on Twitter\nFeb 2013\nAttack on Facebook\nFeb 2013\nAttack on Apple\nFeb 2013\nAttack on Microsoft\nInformation\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=00884ba1-39b4-4b67-bc3c-21167524f868\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=00884ba1-39b4-4b67-bc3c-21167524f868\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=00884ba1-39b4-4b67-bc3c-21167524f868"
	],
	"report_names": [
		"showcard.cgi?u=00884ba1-39b4-4b67-bc3c-21167524f868"
	],
	"threat_actors": [
		{
			"id": "92c0dae2-e255-4b90-8d8f-be88e393ab8d",
			"created_at": "2022-10-25T16:07:24.402328Z",
			"updated_at": "2026-04-10T02:00:04.97641Z",
			"deleted_at": null,
			"main_name": "Wild Neutron",
			"aliases": [
				"Butterfly",
				"Morpho",
				"Sphinx Moth",
				"The Postal Group",
				"Wild Neutron"
			],
			"source_name": "ETDA:Wild Neutron",
			"tools": [
				"HesperBot",
				"Jiripbot",
				"JripBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e90ec9cb-9959-455d-b558-4bafef64d645",
			"created_at": "2022-10-25T16:07:24.222081Z",
			"updated_at": "2026-04-10T02:00:04.903184Z",
			"deleted_at": null,
			"main_name": "Sphinx",
			"aliases": [
				"APT-C-15"
			],
			"source_name": "ETDA:Sphinx",
			"tools": [
				"AnubisSpy",
				"Backdoor.Oldrea",
				"Bladabindi",
				"Fertger",
				"Havex",
				"Havex RAT",
				"Jorik",
				"Oldrea",
				"PEACEPIPE",
				"njRAT",
				"yellowalbatross"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a653b7ac-97b5-465b-98cd-8713223b06a7",
			"created_at": "2023-01-06T13:46:38.592385Z",
			"updated_at": "2026-04-10T02:00:03.032867Z",
			"deleted_at": null,
			"main_name": "WildNeutron",
			"aliases": [
				"Morpho",
				"Sphinx Moth"
			],
			"source_name": "MISPGALAXY:WildNeutron",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433970,
	"ts_updated_at": 1775792153,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb63c416d835e845d87ac5ae897b976ea93d2fd3.pdf",
		"text": "https://archive.orkl.eu/eb63c416d835e845d87ac5ae897b976ea93d2fd3.txt",
		"img": "https://archive.orkl.eu/eb63c416d835e845d87ac5ae897b976ea93d2fd3.jpg"
	}
}