{
	"id": "e10e4d7b-d55c-4520-a36a-0e20038047cb",
	"created_at": "2026-04-06T00:22:26.267366Z",
	"updated_at": "2026-04-10T03:33:16.714527Z",
	"deleted_at": null,
	"sha1_hash": "04d2123bbca8af3910fbfad2f18294f7a702fe70",
	"title": "Ficker Stealer - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44089,
	"plain_text": "Ficker Stealer - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:41:14 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Ficker Stealer\r\n Tool: Ficker Stealer\r\nNames Ficker Stealer\r\nCategory Malware\r\nType Info stealer, Credential stealer\r\nDescription\r\n(Minerva) FickerStealer is a MaaS (Malware as a Service) stealer that is sold on hacking\r\nforums. Its main goal is to steal sensitive information cached by the user - specifically browser\r\npasswords - and send it back to the virus’ owner. In Minerva’s lab environment we even saw\r\nFicker downloading Kronos RAT, making this threat more dangerous than it initially seems.\r\nInformation \u003chttps://blog.minerva-labs.com/minerva-labs-stops-fickerstealer\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Ficker Stealer\r\nChanged Name Country Observed\r\nOther groups\r\n  TA511 [Unknown] 2018-Oct 2020  \r\n1 group listed (0 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6a1efd0a-772a-4210-b1f9-b729d052f9fc\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6a1efd0a-772a-4210-b1f9-b729d052f9fc\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6a1efd0a-772a-4210-b1f9-b729d052f9fc"
	],
	"report_names": [
		"listgroups.cgi?u=6a1efd0a-772a-4210-b1f9-b729d052f9fc"
	],
	"threat_actors": [
		{
			"id": "1f6ae238-765f-4495-9d54-6a7883d7a319",
			"created_at": "2022-10-25T16:07:24.573456Z",
			"updated_at": "2026-04-10T02:00:05.037738Z",
			"deleted_at": null,
			"main_name": "TA511",
			"aliases": [
				"MAN1",
				"Moskalvzapoe"
			],
			"source_name": "ETDA:TA511",
			"tools": [
				"Agentemis",
				"Chanitor",
				"Cobalt Strike",
				"CobaltStrike",
				"Ficker Stealer",
				"Hancitor",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "542cf9d0-9c68-428c-aff8-81b6f59dc985",
			"created_at": "2023-02-15T02:01:49.554105Z",
			"updated_at": "2026-04-10T02:00:03.347115Z",
			"deleted_at": null,
			"main_name": "Moskalvzapoe",
			"aliases": [
				"MAN1",
				"TA511"
			],
			"source_name": "MISPGALAXY:Moskalvzapoe",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434946,
	"ts_updated_at": 1775791996,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/04d2123bbca8af3910fbfad2f18294f7a702fe70.pdf",
		"text": "https://archive.orkl.eu/04d2123bbca8af3910fbfad2f18294f7a702fe70.txt",
		"img": "https://archive.orkl.eu/04d2123bbca8af3910fbfad2f18294f7a702fe70.jpg"
	}
}