{ "id": "3e813fee-c027-4003-bb89-8c8a8b212e6b", "created_at": "2026-04-06T00:09:42.98891Z", "updated_at": "2026-04-10T13:11:35.623645Z", "deleted_at": null, "sha1_hash": "4a4a39136bc37b909b7c52161981ed5f58728503", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44767, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:59:17 UTC\n APT group: Tiny Spider\nNames Tiny Spider (CrowdStrike)\nCountry [Unknown]\nMotivation Financial crime\nFirst seen 2015\nDescription\n(ForcePoint) It all starts with the delivery of a small loader called TinyLoader, an\nobfuscated executable withsimple–yet powerful –downloader functionality. Upon\nexecution, it will first brute force its own decryption key (a 32-bit value, meaning\nthis takes a fraction of second on modern PCs) before using this to decrypt the main\nprogram code.\nThe core functionality of the decrypted code is communication with a set of\nhardcoded C2 servers by IP and port. If the C2 is active, it will provide what is\neffectively a piece of shellcode, encrypted by another 32-bit constant. This shellcode\nis not ‘fire and forget’: it instead sees the loader establish a semi-interactive two-way\ncommunication with the C2. Note that the earliest traits and mentions of TinyLoader\ngo back to as far as 2015.\nObserved\nSectors: Retail.\nCountries: Worldwide.\nTools used PinkKite, PsExec, TinyPOS, TinyLoader.\nOperations performed 2017\nA new family of point-of-sale malware, dubbed PinkKite, has been\nidentified by researchers who say the malware is tiny in size, but can\ndelivered a hefty blow to POS endpoints.\nInformation\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ca6c6c94-9ef8-4aa4-8d9e-ad943b9fbe23\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ca6c6c94-9ef8-4aa4-8d9e-ad943b9fbe23\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ca6c6c94-9ef8-4aa4-8d9e-ad943b9fbe23\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ca6c6c94-9ef8-4aa4-8d9e-ad943b9fbe23" ], "report_names": [ "showcard.cgi?u=ca6c6c94-9ef8-4aa4-8d9e-ad943b9fbe23" ], "threat_actors": [ { "id": "168848e1-54f8-43ba-b3f1-650be9b08081", "created_at": "2023-01-06T13:46:38.913608Z", "updated_at": "2026-04-10T02:00:03.143639Z", "deleted_at": null, "main_name": "TINY SPIDER", "aliases": [], "source_name": "MISPGALAXY:TINY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ab0b3abd-7947-4a56-a03a-a3fd1009d89f", "created_at": "2022-10-25T16:07:24.326862Z", "updated_at": "2026-04-10T02:00:04.93806Z", "deleted_at": null, "main_name": "Tiny Spider", "aliases": [], "source_name": "ETDA:Tiny Spider", "tools": [ "PinkKite", "PsExec", "TinyLoader", "TinyPOS" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434182, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a4a39136bc37b909b7c52161981ed5f58728503.pdf", "text": "https://archive.orkl.eu/4a4a39136bc37b909b7c52161981ed5f58728503.txt", "img": "https://archive.orkl.eu/4a4a39136bc37b909b7c52161981ed5f58728503.jpg" } }