{
	"id": "0729e7f5-b0e3-4c8e-99f2-c4a396a53325",
	"created_at": "2026-04-06T00:10:00.577031Z",
	"updated_at": "2026-04-10T13:12:00.662763Z",
	"deleted_at": null,
	"sha1_hash": "5b755040ba48b03551cd19f539e822b47527e6e9",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47685,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 12:58:25 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Rdasrv\r\n Tool: Rdasrv\r\nNames Rdasrv\r\nCategory Malware\r\nType POS malware, Credential stealer\r\nDescription\r\n(Trend Micro) Rdasrv—one of the earliest PoS RAM scrapers—was first discovered at the end\r\nof 2011. It has no specific family name so it is called by the service name that it installs—\r\nrdasrv.\r\nWhen first executed, the malware is installed as a service called “rdasrv.” Name variations\r\nexist but rdasrv is most commonly used. The sample analyzed installed a service called\r\n“rdpclip.” The installer script executes the malware using the /install parameter. The malware\r\nthen passes function cc_data_scraper_main to StartServiceCtrlDispatcher. The\r\ncc_data_scraper_main function registers itself to handle service control requests using\r\nRegisterServiceCtrlHandler. The malware is now installed and ready to scrape the process\r\nmemory for Tracks 1 and 2 credit card data.\r\nInformation\r\n\u003chttps://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf\u003e\r\n\u003chttps://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.rdasrv\u003e\r\nLast change to this tool card: 25 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Rdasrv\r\nChanged Name Country Observed\r\nUnknown groups\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a7b775e0-34a3-4ecb-9d8b-c107e84e9b28\r\nPage 1 of 2\n\n_[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a7b775e0-34a3-4ecb-9d8b-c107e84e9b28\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a7b775e0-34a3-4ecb-9d8b-c107e84e9b28\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a7b775e0-34a3-4ecb-9d8b-c107e84e9b28"
	],
	"report_names": [
		"listgroups.cgi?u=a7b775e0-34a3-4ecb-9d8b-c107e84e9b28"
	],
	"threat_actors": [],
	"ts_created_at": 1775434200,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b755040ba48b03551cd19f539e822b47527e6e9.pdf",
		"text": "https://archive.orkl.eu/5b755040ba48b03551cd19f539e822b47527e6e9.txt",
		"img": "https://archive.orkl.eu/5b755040ba48b03551cd19f539e822b47527e6e9.jpg"
	}
}