{
	"id": "88c40c6f-d34b-4764-87bd-315230416920",
	"created_at": "2026-04-06T00:10:25.364447Z",
	"updated_at": "2026-04-10T03:20:32.945419Z",
	"deleted_at": null,
	"sha1_hash": "a311538476d41ae0f826a80ee4b50bf21ab7ef46",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48548,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 10:38:44 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ModPipe\n Tool: ModPipe\nNames ModPipe\nCategory Malware\nType POS malware, Backdoor, Info stealer, Credential stealer, Exfiltration\nDescription\n(ESET) ESET researchers have discovered ModPipe, a modular backdoor that gives its\noperators access to sensitive information stored in devices running ORACLE MICROS\nRestaurant Enterprise Series (RES) 3700 POS – a management software suite used by\nhundreds of thousands of bars, restaurants, hotels and other hospitality establishments\nworldwide.\nWhat makes the backdoor distinctive are its downloadable modules and their capabilities. One\nof them – named GetMicInfo – contains an algorithm designed to gather database passwords\nby decrypting them from Windows registry values. This shows that the backdoor’s authors\nhave deep knowledge of the targeted software and opted for this sophisticated method instead\nof collecting the data via a simpler yet “louder” approach, such as keylogging.\nExfiltrated credentials allow ModPipe’s operators access to database contents, including\nvarious definitions and configuration, status tables and information about POS transactions.\nInformation\nMalpedia Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool ModPipe\nChanged Name Country Observed\nUnknown groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=124609c0-762b-470c-bfd6-a2a82e41e69f\nPage 1 of 2\n\n_[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=124609c0-762b-470c-bfd6-a2a82e41e69f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=124609c0-762b-470c-bfd6-a2a82e41e69f\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=124609c0-762b-470c-bfd6-a2a82e41e69f"
	],
	"report_names": [
		"listgroups.cgi?u=124609c0-762b-470c-bfd6-a2a82e41e69f"
	],
	"threat_actors": [],
	"ts_created_at": 1775434225,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a311538476d41ae0f826a80ee4b50bf21ab7ef46.pdf",
		"text": "https://archive.orkl.eu/a311538476d41ae0f826a80ee4b50bf21ab7ef46.txt",
		"img": "https://archive.orkl.eu/a311538476d41ae0f826a80ee4b50bf21ab7ef46.jpg"
	}
}