{ "id": "777c1451-5149-493a-a676-e714222d1763", "created_at": "2026-04-06T00:08:44.176259Z", "updated_at": "2026-04-10T03:37:36.611085Z", "deleted_at": null, "sha1_hash": "eefd6bd995764bb941043c582f12ca368ae079db", "title": "SpyNote RAT - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 69313, "plain_text": "SpyNote RAT - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:37:59 UTC\n Tool: SpyNote RAT\nNames\nSpyNote RAT\nSpyNote\nCypherRat\nCategory Malware\nType Backdoor, Info stealer, Exfiltration\nDescription\nSpyNote RAT (Remote Access Trojan) is a family of malicious Android apps. The\nSpyNote RAT builder tool can be used to develop malicious apps with the malware's\nfunctionality.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 26 December 2024\nDownload this tool card in JSON format\nAll groups using tool SpyNote RAT\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f6df192b-ad71-4097-b372-0edf8a586d50\nPage 1 of 2\n\nAPT groups\r\n  OilAlpha 2022  \r\n  OilRig, APT 34, Helix Kitten, Chrysene 2014-Sep 2024\r\n  Syrian Electronic Army (SEA), Deadeye Jackal 2011-Aug 2021\r\n      ↳ Subgroup: Pat Bear, APT-C-37 2015  \r\n4 groups listed (4 APT, 0 other, 0 unknown)\r\n↑\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f6df192b-ad71-4097-b372-0edf8a586d50\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f6df192b-ad71-4097-b372-0edf8a586d50\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f6df192b-ad71-4097-b372-0edf8a586d50" ], "report_names": [ "listgroups.cgi?u=f6df192b-ad71-4097-b372-0edf8a586d50" ], "threat_actors": [ { "id": "ca3acede-fb02-418a-8f2b-a73d8c89eda7", "created_at": "2023-06-23T02:04:34.425347Z", "updated_at": "2026-04-10T02:00:04.787571Z", "deleted_at": null, "main_name": "OilAlpha", "aliases": [ "TAG-41", "TAG-62" ], "source_name": "ETDA:OilAlpha", "tools": [ "Bladabindi", "CypherRat", "Jorik", "SpyMax", "SpyNote", "SpyNote RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2f498e6b-3f0e-4f26-8cc7-52121e675643", "created_at": "2023-01-06T13:46:38.447274Z", "updated_at": "2026-04-10T02:00:02.978901Z", "deleted_at": null, "main_name": "Deadeye Jackal", "aliases": [ "SyrianElectronicArmy" ], "source_name": "MISPGALAXY:Deadeye Jackal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "76fc6d92-0710-4640-bfa7-3000fe3940a5", "created_at": "2022-10-25T16:07:24.251595Z", "updated_at": "2026-04-10T02:00:04.911951Z", "deleted_at": null, "main_name": "Syrian Electronic Army (SEA)", "aliases": [ "ATK 196", "Deadeye Jackal", "Syria Malware Team", "Syrian Electronic Army", "TAG-CT2" ], "source_name": "ETDA:Syrian Electronic Army (SEA)", "tools": [ "AndoServer", "CypherRat", "SLRat", "SandroRAT", "SilverHawk", "SpyNote", "SpyNote RAT" ], "source_id": "ETDA", "reports": null }, { "id": "0769c188-62ce-44ee-8e9d-1067f3d3c083", "created_at": "2022-10-25T16:07:24.259063Z", "updated_at": "2026-04-10T02:00:04.913621Z", "deleted_at": null, "main_name": "Pat Bear", "aliases": [ "APT-C-37", "Pat Bear", "Racquet Bear" ], "source_name": "ETDA:Pat Bear", "tools": [ "Bladabindi", "CypherRat", "DroidJack", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "Jenxcus", "Jorik", "Kognito", "Njw0rm", "SSLove RAT", "SpyNote", "SpyNote RAT", "WSHRAT", "dinihou", "dunihi", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9802c44a-36d9-4e1e-9f37-76b89b3b61b0", "created_at": "2023-11-07T02:00:07.10244Z", "updated_at": "2026-04-10T02:00:03.408827Z", "deleted_at": null, "main_name": "OilAlpha", "aliases": [], "source_name": "MISPGALAXY:OilAlpha", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434124, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eefd6bd995764bb941043c582f12ca368ae079db.pdf", "text": "https://archive.orkl.eu/eefd6bd995764bb941043c582f12ca368ae079db.txt", "img": "https://archive.orkl.eu/eefd6bd995764bb941043c582f12ca368ae079db.jpg" } }