{
	"id": "41ccb7fb-af60-41bb-94bc-03faf7206bc9",
	"created_at": "2026-04-06T03:36:20.483548Z",
	"updated_at": "2026-04-10T13:12:35.69049Z",
	"deleted_at": null,
	"sha1_hash": "02bf5ddf580a0a911aac79500f687ef648d3762c",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49282,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 03:12:14 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BrutPOS\r\n Tool: BrutPOS\r\nNames BrutPOS\r\nCategory Malware\r\nType POS malware, Backdoor, Credential stealer, Botnet\r\nDescription\r\n(FireEye) There have been an increasing number of headlines about breaches at retailers in\r\nwhich attackers have made off with credit card data after compromising point-of-sale (POS)\r\nterminals. However, what is not commonly discussed is the fact that one third of these\r\nbreaches are a result of weak default passwords in the remote administration software that is\r\ntypically installed on these systems. While advanced exploits generate a lot of interest,\r\nsometimes it’s defending the simple attacks that can keep your company from the headlines.\r\nIn this report, we document a botnet that we call BrutPOS which uses thousands of\r\ncompromised computers to scan specified IP address ranges for RDP servers that have weak or\r\ndefault passwords in an effort to locate vulnerable POS systems.\r\nInformation\r\n\u003chttps://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html\u003e\r\n\u003chttps://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos\u003e\r\nLast change to this tool card: 25 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool BrutPOS\r\nChanged Name Country Observed\r\nUnknown groups\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d064434d-c204-495f-843d-11df9afc9c6f\r\nPage 1 of 2\n\n_[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d064434d-c204-495f-843d-11df9afc9c6f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d064434d-c204-495f-843d-11df9afc9c6f\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d064434d-c204-495f-843d-11df9afc9c6f"
	],
	"report_names": [
		"listgroups.cgi?u=d064434d-c204-495f-843d-11df9afc9c6f"
	],
	"threat_actors": [],
	"ts_created_at": 1775446580,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/02bf5ddf580a0a911aac79500f687ef648d3762c.pdf",
		"text": "https://archive.orkl.eu/02bf5ddf580a0a911aac79500f687ef648d3762c.txt",
		"img": "https://archive.orkl.eu/02bf5ddf580a0a911aac79500f687ef648d3762c.jpg"
	}
}