{ "id": "32606a80-0b78-42f7-8976-8a35a5488b25", "created_at": "2026-04-06T00:08:02.576785Z", "updated_at": "2026-04-10T13:12:43.646764Z", "deleted_at": null, "sha1_hash": "f416781978fa0e61275ab6482165c5702ef81e7c", "title": "Catelites Bot - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50295, "plain_text": "Catelites Bot - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:33:20 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Catelites Bot\r\n Tool: Catelites Bot\r\nNames\r\nCatelites Bot\r\nCatelites\r\nCategory Malware\r\nType Banking trojan\r\nDescription\r\n(Avast) Now, the Avast Threat Labs team have uncovered and analyzed with SfyLabs a\r\nnew version of the malware, dubbed Catelites Bot, which shares similarities with the\r\nmalware used for CronBot.\r\nWhile we are still investigating the details of this malware, here is what we know: this\r\nmalware gets “dropped” onto your device after you download an app from a third-party\r\napp store (not official shops like Google Play) or from malicious adware\r\n(malvertisements) or phishing sites. Once dropped onto your Android device, the\r\nmalicious app looks like the icon seen in the screen below and is titled “System\r\nApplication.”\r\nWorse still, this piece of malware can also go after your bank account login details. This\r\nmalware has the ability to pose as over 2,200 banks and financial institutions. It does so\r\nby adopting the logo and mobile application name of a bank used in the Google Play\r\nStore, allowing the author to use simple templates to harvest username and password or\r\ncredit card information. The overlay is HTML-based and not as sophisticated as other\r\nAndroid banking malware such as LokiBot, Red Alert, or ExoBot, but the power here is\r\nclearly in the shotgun approach: using simple phishing overlay screens, the criminals are\r\nable to target many more users, increasing their likelihood of financial gain.\r\nInformation\r\n\u003chttps://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:Catelites\u003e\r\nLast change to this tool card: 28 December 2022\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7792fc81-4715-436d-8eab-ccc560958972\r\nPage 1 of 2\n\nDownload this tool card in JSON format\r\nAll groups using tool Catelites Bot\r\nChanged Name Country Observed\r\nOther groups\r\n  Cron 2015-Dec 2017\r\n1 group listed (0 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7792fc81-4715-436d-8eab-ccc560958972\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7792fc81-4715-436d-8eab-ccc560958972\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7792fc81-4715-436d-8eab-ccc560958972" ], "report_names": [ "listgroups.cgi?u=7792fc81-4715-436d-8eab-ccc560958972" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434082, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f416781978fa0e61275ab6482165c5702ef81e7c.pdf", "text": "https://archive.orkl.eu/f416781978fa0e61275ab6482165c5702ef81e7c.txt", "img": "https://archive.orkl.eu/f416781978fa0e61275ab6482165c5702ef81e7c.jpg" } }