{ "id": "187fbc13-5245-4a08-a2c9-e3215ea943e6", "created_at": "2026-04-06T00:13:27.426654Z", "updated_at": "2026-04-10T03:31:49.135641Z", "deleted_at": null, "sha1_hash": "f684b808d0a733df6f7480a618097d3b103c8948", "title": "Operation Ghoul - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53335, "plain_text": "Operation Ghoul - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-02 12:43:52 UTC\nHome \u003e List all groups \u003e Operation Ghoul\n APT group: Operation Ghoul\nNames Operation Ghoul (Kaspersky)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2016\nDescription\n(Kaspersky) Kaspersky Lab has observed new waves of attacks that started on the 8th and the\n27th of June 2016. These have been highly active in the Middle East region and unveiled\nongoing targeted attacks in multiple regions. The attackers try to lure targets through spear\nphishing emails that include compressed executables. The malware collects all data such as\npasswords, keystrokes and screenshots, then sends it to the attackers.\nWe found that the group behind this campaign targeted mainly industrial, engineering and\nmanufacturing organizations in more than 30 countries. In total, over 130 organizations have\nbeen identified as victims of this campaign. Using the Kaspersky Security Network (KSN) and\nartifacts from malware files and attack sites, we were able to trace the attacks back to March\n2015. Noteworthy is that since the beginning of their activities, the attackers’ motivations are\napparently financial, whether through the victims’ banking accounts or through selling their\nintellectual property to interested parties, most infiltrated victim organizations are considered\nSMBs (Small to Medium size businesses, 30-300 employees), the utilization of commercial\noff-the-shelf malware makes the attribution of the attacks more difficult.\nObserved\nSectors: Education, Engineering, Industrial, Manufacturing, IT, Pharmaceutical, Shipping and\nLogistics and Tourism and Trading.\nCountries: Azerbaijan, China, Egypt, France, Germany, Gibraltar, India, Iran, Iraq, Italy,\nPakistan, Portugal, Romania, Qatar, Saudi Arabia, Spain, Sweden, Switzerland, Taiwan,\nTurkey, UAE, UK, USA.\nTools used OpGhoul.\nInformation\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7ad2d47f-2f79-4d4a-aeaa-137747a961df\nPage 1 of 2\n\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7ad2d47f-2f79-4d4a-aeaa-137747a961df\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7ad2d47f-2f79-4d4a-aeaa-137747a961df\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7ad2d47f-2f79-4d4a-aeaa-137747a961df" ], "report_names": [ "showcard.cgi?u=7ad2d47f-2f79-4d4a-aeaa-137747a961df" ], "threat_actors": [ { "id": "373f10d9-9fdb-4451-b158-da634c6bfb22", "created_at": "2024-02-06T02:00:04.148051Z", "updated_at": "2026-04-10T02:00:03.579412Z", "deleted_at": null, "main_name": "Operation Ghoul", "aliases": [], "source_name": "MISPGALAXY:Operation Ghoul", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5919968-4173-411e-801d-9a1a3bd6a10c", "created_at": "2022-10-25T16:07:23.959228Z", "updated_at": "2026-04-10T02:00:04.808278Z", "deleted_at": null, "main_name": "Operation Ghoul", "aliases": [], "source_name": "ETDA:Operation Ghoul", "tools": [ "OpGhoul" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434407, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f684b808d0a733df6f7480a618097d3b103c8948.pdf", "text": "https://archive.orkl.eu/f684b808d0a733df6f7480a618097d3b103c8948.txt", "img": "https://archive.orkl.eu/f684b808d0a733df6f7480a618097d3b103c8948.jpg" } }