{ "id": "b0768388-99d1-40d2-8cee-95814a1865b6", "created_at": "2026-04-06T00:08:52.918412Z", "updated_at": "2026-04-10T13:12:00.062137Z", "deleted_at": null, "sha1_hash": "4dabfe7b9a632a6e510bc340192817597c3b6699", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47613, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:11:53 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ModPOS\r\n Tool: ModPOS\r\nNames\r\nModPOS\r\nstraxbot\r\nCategory Malware\r\nType Reconnaissance, POS malware, Backdoor, Keylogger, Credential stealer\r\nDescription\r\n(FireEye) ModPOS is highly modular and can be configured to target specific systems\r\nwith components such as uploader/downloader, keylogger, POS RAM scraper and custom\r\nplugins for credential theft and other specialized functions like network reconnaissance.\r\nWe believe other capabilities could also be leveraged. The modules are packed kernel\r\ndrivers that use multiple methods of obfuscation and encryption to evade even the most\r\nsophisticated security controls.\r\nInformation \u003chttps://www.fireeye.com/blog/threat-research/2015/11/modpos.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.modpos\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:modpos\u003e\r\nLast change to this tool card: 28 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool ModPOS\r\nChanged Name Country Observed\r\nAPT groups\r\n  Operation Black Atlas [Unknown] 2015  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fdb9cd93-6826-440e-b2ef-04f8618c92b4\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fdb9cd93-6826-440e-b2ef-04f8618c92b4\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fdb9cd93-6826-440e-b2ef-04f8618c92b4\r\nPage 2 of 2\n\nAPT groups Operation Black Atlas [Unknown] 2015 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fdb9cd93-6826-440e-b2ef-04f8618c92b4" ], "report_names": [ "listgroups.cgi?u=fdb9cd93-6826-440e-b2ef-04f8618c92b4" ], "threat_actors": [ { "id": "5c457d56-6078-4a86-ac5c-e3e91fa278e7", "created_at": "2022-10-25T16:07:23.934665Z", "updated_at": "2026-04-10T02:00:04.795018Z", "deleted_at": null, "main_name": "Operation Black Atlas", "aliases": [], "source_name": "ETDA:Operation Black Atlas", "tools": [ "Alina POS", "BlackPOS", "Diamond Fox", "DiamondFox", "FrameworkPOS", "Gorynch", "Gorynych", "Kaptoxa", "MMon", "ModPOS", "NewPosThings", "POSWDS", "Reedum", "alina_eagle", "alina_spark", "aline_joker", "katrina", "straxbot" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434132, "ts_updated_at": 1775826720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4dabfe7b9a632a6e510bc340192817597c3b6699.pdf", "text": "https://archive.orkl.eu/4dabfe7b9a632a6e510bc340192817597c3b6699.txt", "img": "https://archive.orkl.eu/4dabfe7b9a632a6e510bc340192817597c3b6699.jpg" } }