{
	"id": "9c0d28e7-32bb-4a77-89e8-490e48571a04",
	"created_at": "2026-04-06T00:06:56.721286Z",
	"updated_at": "2026-04-10T13:11:45.643305Z",
	"deleted_at": null,
	"sha1_hash": "466e7ab12b6369f5217883b09068e65a3af32024",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49225,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:00:27 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool RtPOS\r\n Tool: RtPOS\r\nNames RtPOS\r\nCategory Malware\r\nType POS malware, Reconnaissance, Backdoor, Credential stealer\r\nDescription\r\n(Booz Allen) RtPOS is unique in comparison to other fully featured POS malware like\r\nProject Hook and TreasureHunter, in that it has no native exfiltration capability. While\r\nother POS malware families are perfectly capable of sending captured Track1 and Track2\r\ndata to a C2 server, RtPOS merely saves the data locally. As this activity is similar to\r\nsome POS utilities, this is likely intended to reduce the network activity footprint of\r\nRtPOS and ensure the malware remains undetected for longer, thus earning the controllers\r\na healthier profit. The RtPOS malware is also simplistic in features, largely automated in\r\noperation, and lacks many of the features that more mature POS malware families do.\r\nThe lack of a network exfiltration feature, interaction and user commands, as well as a\r\ndropper component hints at more serious implications: in order for RtPOS to execute and\r\nin order to retrieve the captured payment card data, the attackers would have existing\r\naccess to the victim’s machine(s). RtPOS may simply be an in-development POS malware\r\nfamily, though review and analysis suggests RtPOS is a post-compromise tool instead of a\r\nstandalone malware, and may even be part of a larger, heretofore unidentified tool set.\r\nInformation\r\n\u003chttps://www.boozallen.com/c/insight/blog/new-point-of-sale-malware-family-uncovered.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:RtPOS\u003e\r\nLast change to this tool card: 25 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool RtPOS\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ab3b05c0-27a8-4225-bc9c-8ccc5b4796c1\r\nPage 1 of 2\n\nChanged Name Country Observed\r\nUnknown groups\r\n  _[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ab3b05c0-27a8-4225-bc9c-8ccc5b4796c1\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ab3b05c0-27a8-4225-bc9c-8ccc5b4796c1\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ab3b05c0-27a8-4225-bc9c-8ccc5b4796c1"
	],
	"report_names": [
		"listgroups.cgi?u=ab3b05c0-27a8-4225-bc9c-8ccc5b4796c1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434016,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/466e7ab12b6369f5217883b09068e65a3af32024.pdf",
		"text": "https://archive.orkl.eu/466e7ab12b6369f5217883b09068e65a3af32024.txt",
		"img": "https://archive.orkl.eu/466e7ab12b6369f5217883b09068e65a3af32024.jpg"
	}
}