ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Retefe Gang, Operation Emmental

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Retefe Gang, Operation Emmental

NamesRetefe Gang (
Operation Emmental (Trend Micro)
CountryRussia Russia
MotivationFinancial crime
First seen2013
Description( Surprisingly, there is a lot of media attention going on at the moment on a macOS malware called OSX/Dok. In the recent weeks, various anti-virus vendors and security researchers published blog posts on this threat, presenting their analysis and findings. While some findings where very interesting, others were misleading or simply wrong.

We don’t know where the sudden media interest and the attention from anti-virus vendors on this threat actor are coming from. As a matter of fact, the threat actor behind OSX/Dok, which we call the the Retefe gang or Operation Emmental, has already been around for many years and is tracking their activities since the very beginning (2013). The purpose of this blog post is to put the puzzle pieces together and trying to bust some of the myths that have made the round in the media recently.
ObservedSectors: Financial.
Countries: Austria, Germany, Japan, Romania, Sweden, Switzerland, Turkey, UK.
Tools usedCitadel, Retefe, Retefe (Android), Tinba.

Last change to this card: 22 May 2020

Download this actor card in PDF or JSON format

Previous: ResumeLooters
Next: Roaming Mantis

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]