{ "id": "74cc80b9-26d2-445b-929b-05a38644c639", "created_at": "2026-04-06T00:12:58.692312Z", "updated_at": "2026-04-10T03:33:53.482488Z", "deleted_at": null, "sha1_hash": "6321766eda153ffabd49a65940d0ec0f9fe5edad", "title": "Grateful POS - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48860, "plain_text": "Grateful POS - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:01:46 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Grateful POS\r\n Tool: Grateful POS\r\nNames\r\nGrateful POS\r\nTRINITY\r\nCategory Malware\r\nType POS malware, Info stealer\r\nDescription\r\nPOS malware targets systems that run physical point-of-sale device and operates by inspecting\r\nthe process memory for data that matches the structure of credit card data (Track1 and Track2\r\ndata), such as the account number, expiration date, and other information stored on a card’s\r\nmagnetic stripe. After the cards are first scanned, the personal account number (PAN) and\r\naccompanying data sit in the point-of-sale system’s memory unencrypted while the system\r\ndetermines where to send it for authorization.\r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during\r\nthe fall 2017 shopping season with low detection ratio according to some of the earliest\r\ndetections displayed on VirusTotal. The first sample was upload in November 2017.\r\nAdditionally, this malware appears to be related to the BlackPOS malware, which was linked\r\nto some of the high-profile merchant breaches in the past.\r\nInformation\r\n\u003chttps://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf\u003e\r\n\u003chttps://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html\u003e\r\n\u003chttps://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos\u003e\r\nLast change to this tool card: 22 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Grateful POS\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5fd2dd27-ea9b-4c29-b6fd-b64ee1a5c0bb\r\nPage 1 of 2\n\nAPT groups\r\n  FIN6, Skeleton Spider [Unknown] 2015-Oct 2021\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5fd2dd27-ea9b-4c29-b6fd-b64ee1a5c0bb\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5fd2dd27-ea9b-4c29-b6fd-b64ee1a5c0bb\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5fd2dd27-ea9b-4c29-b6fd-b64ee1a5c0bb" ], "report_names": [ "listgroups.cgi?u=5fd2dd27-ea9b-4c29-b6fd-b64ee1a5c0bb" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434378, "ts_updated_at": 1775792033, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6321766eda153ffabd49a65940d0ec0f9fe5edad.pdf", "text": "https://archive.orkl.eu/6321766eda153ffabd49a65940d0ec0f9fe5edad.txt", "img": "https://archive.orkl.eu/6321766eda153ffabd49a65940d0ec0f9fe5edad.jpg" } }