{ "id": "bc01023d-b6e1-4df6-8044-aeb2baa5381e", "created_at": "2026-04-06T00:13:30.55453Z", "updated_at": "2026-04-10T03:32:46.556399Z", "deleted_at": null, "sha1_hash": "49b2c6894119d0409dc98323c16e591cb27bda16", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45563, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:08:23 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MoneyTaker\r\n Tool: MoneyTaker\r\nNames MoneyTaker\r\nCategory Malware\r\nType Banking trojan\r\nDescription\r\n(Group-IB) In an attack on a Russian bank through the AWS CBR, hackers used a tool called\r\nMoneyTaker v5.0, which the group has been named after. Each component of this modular\r\nprogram performs a certain action: searches for payment orders and modifies them, replaces\r\noriginal payment details with fraudulent ones, and then erases traces. The success of\r\nreplacement is due to the fact that at this stage the payment order has not yet been signed,\r\nwhich will occur after payment details are replaced. In addition to hiding the tracks, the\r\nconcealment module again substitutes the fraudulent payment details in a debit advice after the\r\ntransaction back with the original ones. This means that the payment order is sent and accepted\r\nfor execution with the fraudulent payment details, and the responses come as if the payment\r\ndetails were the initial ones. This gives cybercriminals extra time to mule funds before the\r\ntheft is detected.\r\nInformation \u003chttps://www.group-ib.com/blog/moneytaker\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool MoneyTaker\r\nChanged Name Country Observed\r\nAPT groups\r\n  MoneyTaker 2016  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37a3a707-92e1-4ac7-bd2d-7a1779e5b3bb\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37a3a707-92e1-4ac7-bd2d-7a1779e5b3bb\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37a3a707-92e1-4ac7-bd2d-7a1779e5b3bb\r\nPage 2 of 2\n\nAPT groups MoneyTaker 2016 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37a3a707-92e1-4ac7-bd2d-7a1779e5b3bb" ], "report_names": [ "listgroups.cgi?u=37a3a707-92e1-4ac7-bd2d-7a1779e5b3bb" ], "threat_actors": [ { "id": "746214d4-5d48-4644-b763-8e9a9c549c04", "created_at": "2022-10-25T16:07:23.878029Z", "updated_at": "2026-04-10T02:00:04.769032Z", "deleted_at": null, "main_name": "MoneyTaker", "aliases": [], "source_name": "ETDA:MoneyTaker", "tools": [ "Kronos", "Metasploit", "MoneyTaker", "Screenshotter" ], "source_id": "ETDA", "reports": null }, { "id": "e5364c16-eb97-467e-a8c2-a720269498c1", "created_at": "2023-01-06T13:46:38.733469Z", "updated_at": "2026-04-10T02:00:03.082343Z", "deleted_at": null, "main_name": "MoneyTaker", "aliases": [], "source_name": "MISPGALAXY:MoneyTaker", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434410, "ts_updated_at": 1775791966, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/49b2c6894119d0409dc98323c16e591cb27bda16.pdf", "text": "https://archive.orkl.eu/49b2c6894119d0409dc98323c16e591cb27bda16.txt", "img": "https://archive.orkl.eu/49b2c6894119d0409dc98323c16e591cb27bda16.jpg" } }