{ "id": "451ec2bf-8dfb-48d8-871a-f06c10e809d7", "created_at": "2026-04-06T00:19:23.581462Z", "updated_at": "2026-04-10T03:36:50.411124Z", "deleted_at": null, "sha1_hash": "eba5596fce08e973441a665f9b70e505ffa5e15f", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52818, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:58:49 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Android RAT\r\n Tool: Android RAT\r\nNames Android RAT\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\r\nDescription (Kaspersky) The first application on the list that is not installed on the system will be selected\r\nas the target application. The malware embeds multiple APK files, which are stored in a\r\ndirectory named “assets”. The analyzed sample includes the following packages:\r\napk a20fc273a49c3b882845ac8d6cc5beac\r\napk 53cd72147b0ef6bf6e64d266bf3ccafe\r\napk bae69f2ce9f002a11238dcf29101c14f\r\napk b8006e986453a6f25fd94db6b7114ac2\r\napk 4556ccecbf24b2e3e07d3856f42c7072\r\napk 6c3308cd8a060327d841626a677a0549\r\nThe selected APK is copied to /.System/APK/. By default, the application tries to save the file\r\nto external storage, otherwise it saves it to the data directory.\r\nFinally, the application tries to install the copied APK. The final malware is a modified version\r\nof the AhMyth Android RAT, open-source malware downloadable from GitHub, which is built\r\nby binding the malicious payload inside other legitimate applications.\r\nBasically, it provides the following features:\r\n• camera manager (list devices and steal screenshots)\r\n• file manager (enumerate files and upload these to the C2)\r\n• SMS manager (get a list of text messages or send a text)\r\n• get the call log\r\n• get the contact list\r\n• microphone manager\r\n• location manager (track the device location)\r\nThe RAT that we analyzed is slightly different from the original. It includes new features\r\nadded by the attackers to improve data exfiltration, whereas some of the core features, such as\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6d0531f4-46f8-4b78-a3d9-44c73aeefbcc\r\nPage 1 of 2\n\nthe ability to steal pictures from the camera, are missing.\nInformation Last change to this tool card: 27 August 2020\nDownload this tool card in JSON format\nAll groups using tool Android RAT\nChanged Name Country Observed\nAPT groups\n Transparent Tribe, APT 36 2013-Mar 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6d0531f4-46f8-4b78-a3d9-44c73aeefbcc\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6d0531f4-46f8-4b78-a3d9-44c73aeefbcc\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6d0531f4-46f8-4b78-a3d9-44c73aeefbcc" ], "report_names": [ "listgroups.cgi?u=6d0531f4-46f8-4b78-a3d9-44c73aeefbcc" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434763, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eba5596fce08e973441a665f9b70e505ffa5e15f.pdf", "text": "https://archive.orkl.eu/eba5596fce08e973441a665f9b70e505ffa5e15f.txt", "img": "https://archive.orkl.eu/eba5596fce08e973441a665f9b70e505ffa5e15f.jpg" } }