{
	"id": "15793780-2b10-4b54-a58b-85553185371e",
	"created_at": "2026-04-06T00:17:27.809149Z",
	"updated_at": "2026-04-10T13:12:10.184888Z",
	"deleted_at": null,
	"sha1_hash": "7e4ae3755d1620e498ecf143c1377c08722b9481",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48503,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:01:15 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PwnPOS\n Tool: PwnPOS\nNames PwnPOS\nCategory Malware\nType POS malware, Credential stealer\nDescription\n(Trend Micro) PwnPOS is one of those perfect examples of malware that’s able to fly\nunder the radar all these years due to its simple but thoughtful construction; albeit not\nbeing future proof. Technically, there are two components of PwnPOS: 1) the RAM\nscraper binary, and 2) the binary responsible for data exfiltration. While the RAM scraper\ncomponent remains constant, the data exfiltration component has seen several changes –\nimplying that there are two, and possibly distinct, authors. The RAM scraper goes through\na process’ memory and dumps the data to the file and the binary uses SMTP for data\nexfiltration.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 24 May 2020\nDownload this tool card in JSON format\nAll groups using tool PwnPOS\nChanged Name Country Observed\nUnknown groups\n _[ Interesting malware not linked to an actor yet ]_\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2dae9d51-6708-44f3-9253-21bc4262d92f\nPage 1 of 2\n\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2dae9d51-6708-44f3-9253-21bc4262d92f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2dae9d51-6708-44f3-9253-21bc4262d92f\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2dae9d51-6708-44f3-9253-21bc4262d92f"
	],
	"report_names": [
		"listgroups.cgi?u=2dae9d51-6708-44f3-9253-21bc4262d92f"
	],
	"threat_actors": [],
	"ts_created_at": 1775434647,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e4ae3755d1620e498ecf143c1377c08722b9481.pdf",
		"text": "https://archive.orkl.eu/7e4ae3755d1620e498ecf143c1377c08722b9481.txt",
		"img": "https://archive.orkl.eu/7e4ae3755d1620e498ecf143c1377c08722b9481.jpg"
	}
}