{
	"id": "85d7bd93-0b0b-4b8f-bbfa-15ecda0db56d",
	"created_at": "2026-04-06T01:31:18.156834Z",
	"updated_at": "2026-04-10T13:11:33.357136Z",
	"deleted_at": null,
	"sha1_hash": "a0737fb5b0b8e3091e6aac4d872d02925a0f3265",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48247,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:17:29 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Decebal\r\n Tool: Decebal\r\nNames Decebal\r\nCategory Malware\r\nType POS malware, Reconnaissance, Credential stealer\r\nDescription\r\n(Trend Micro) Decebal refers to a PoS RAM scraper malware family first discovered at the\r\nbeginning of 2014. Decebal is unique in that it is coded in VBScript and is compiled into an\r\nexecutable file. Most PoS RAM scrapers are coded in C, C++, or Delphi. Like BlackPOS,\r\nDecebal’s source code was also leaked online. Decebal comes with many existing functionality\r\nfound in established and even new PoS RAM scraper malware families\r\nInformation\r\n\u003chttps://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf\u003e\r\n\u003chttps://community.softwaregrp.com/t5/Security-Research/POS-malware-a-look-at-Dexter-and-Decebal/ba-p/272157\u003e\r\n\u003chttps://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.decebal\u003e\r\nLast change to this tool card: 25 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Decebal\r\nChanged Name Country Observed\r\nUnknown groups\r\n  _[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=18271da6-eda0-464d-8a94-caae5f0168a6\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=18271da6-eda0-464d-8a94-caae5f0168a6\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=18271da6-eda0-464d-8a94-caae5f0168a6\r\nPage 2 of 2\n\nUnknown groups _[ Interesting malware not linked to an actor yet ]_\n1 group listed (0 APT, 0 other, 1 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=18271da6-eda0-464d-8a94-caae5f0168a6"
	],
	"report_names": [
		"listgroups.cgi?u=18271da6-eda0-464d-8a94-caae5f0168a6"
	],
	"threat_actors": [],
	"ts_created_at": 1775439078,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0737fb5b0b8e3091e6aac4d872d02925a0f3265.pdf",
		"text": "https://archive.orkl.eu/a0737fb5b0b8e3091e6aac4d872d02925a0f3265.txt",
		"img": "https://archive.orkl.eu/a0737fb5b0b8e3091e6aac4d872d02925a0f3265.jpg"
	}
}