{
	"id": "17fbd33e-f57c-4b48-8c7a-25c6dd33e0eb",
	"created_at": "2026-04-06T00:15:50.618542Z",
	"updated_at": "2026-04-10T03:36:16.828513Z",
	"deleted_at": null,
	"sha1_hash": "6da14e4100bc3eb9ad11c0c6dc91123eae3ffa78",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48318,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:57:07 UTC\r\n APT group: FIN5\r\nNames\r\nFIN5 (FireEye)\r\nG0053 (MITRE)\r\nCountry [Unknown]\r\nMotivation Financial crime\r\nFirst seen 2008\r\nDescription\r\nFIN5 is a financially motivated threat group that has targeted personally identifiable\r\ninformation and payment card information. The group has been active since at least\r\n2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up\r\nof actors who likely speak Russian.\r\n(DarkReading) No 0days. No spear-phishing, either: The cybercriminal group tied to\r\nnumerous payment card breaches including Goodwill and best known by its so-called\r\n“RawPOS” malware employed legitimate user credentials to access its targets’ networks.\r\nResearchers at FireEye here today shared their recent findings on this prolific and long-running cybercrime gang that has been the subject of multiple Visa security alerts to\r\nmerchants. The RawPOS memory scraper malware has been infecting the lodging\r\nindustry in epidemic proportions over the past year, and is considered one of the first\r\nmemory scrapers to target point-of-sale systems.\r\nFireEye has dubbed the cybercrime gang FIN5. “One of the most unique things about\r\nFIN5 is that in every intrusion we responded to where FIN5 has been active, legitimate\r\naccess was identified. They had valid user credentials to remotely log into the network,”\r\nsaid Barry Vengerik, principal threat analyst at FireEye. “No sexy zero-days, no remote\r\nexploits – not even spear-phishing. They had credentials from somewhere.”\r\nFIN5, which earlier this year was profiled by researchers at Trend Micro and has been in\r\naction since at least 2008, uses real credentials from the victim organization’s virtual\r\nprivate network, Remote Desktop Protocol, Citrix, or VNC. Vengerik says the attackers\r\ngot those credentials via third parties associated with the victims’ POS systems.\r\nObserved Sectors: Gaming, Hospitality.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=79996110-5bcb-4996-b3d8-0d778030f0dc\r\nPage 1 of 2\n\nTools used FLIPSIDE, pwdump, RawPOS, SDelete, Windows Credentials Editor.\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=79996110-5bcb-4996-b3d8-0d778030f0dc\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=79996110-5bcb-4996-b3d8-0d778030f0dc\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=79996110-5bcb-4996-b3d8-0d778030f0dc"
	],
	"report_names": [
		"showcard.cgi?u=79996110-5bcb-4996-b3d8-0d778030f0dc"
	],
	"threat_actors": [
		{
			"id": "fa3bc740-8ffc-4a49-a78f-e1f6d0d85c2b",
			"created_at": "2022-10-25T15:50:23.528058Z",
			"updated_at": "2026-04-10T02:00:05.374772Z",
			"deleted_at": null,
			"main_name": "FIN5",
			"aliases": [
				"FIN5"
			],
			"source_name": "MITRE:FIN5",
			"tools": [
				"Windows Credential Editor",
				"PsExec",
				"FLIPSIDE",
				"pwdump",
				"SDelete",
				"RawPOS"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "7e5e725c-4de5-4e14-a702-d84d23d973e9",
			"created_at": "2023-01-06T13:46:38.965779Z",
			"updated_at": "2026-04-10T02:00:03.165531Z",
			"deleted_at": null,
			"main_name": "FIN5",
			"aliases": [
				"G0053"
			],
			"source_name": "MISPGALAXY:FIN5",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "820ea41f-a798-4eb9-b296-530b784c1adc",
			"created_at": "2022-10-25T16:07:23.613805Z",
			"updated_at": "2026-04-10T02:00:04.688029Z",
			"deleted_at": null,
			"main_name": "FIN5",
			"aliases": [
				"G0053"
			],
			"source_name": "ETDA:FIN5",
			"tools": [
				"DRIFTWOOD",
				"DUEBREW",
				"FIENDCRY",
				"FLIPSIDE",
				"RawPOS",
				"SDelete",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434550,
	"ts_updated_at": 1775792176,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6da14e4100bc3eb9ad11c0c6dc91123eae3ffa78.pdf",
		"text": "https://archive.orkl.eu/6da14e4100bc3eb9ad11c0c6dc91123eae3ffa78.txt",
		"img": "https://archive.orkl.eu/6da14e4100bc3eb9ad11c0c6dc91123eae3ffa78.jpg"
	}
}