{ "id": "e059d8fa-a5c8-4477-b3fb-13c210da84ea", "created_at": "2026-04-06T00:16:39.681382Z", "updated_at": "2026-04-10T03:32:07.743839Z", "deleted_at": null, "sha1_hash": "a8668ab8ac2faa8c8e0cecf317d252998bfd72fe", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72800, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 10:53:34 UTC\r\n Other threat group: Fxmsp\r\nNames\r\nFxmsp (self given)\r\nATK 134 (Thales)\r\nTAG-CR17 (Recorded Future)\r\nCountry Kazakhstan\r\nMotivation Financial gain\r\nFirst seen 2016\r\nDescription\r\n(AdvIntel) Throughout 2017 and 2018, Fxmsp established a network of trusted\r\nproxy resellers to promote their breaches on the criminal underground. Some of the\r\nknown Fxmsp TTPs included accessing network environments via externally\r\navailable remote desktop protocol (RDP) servers and exposed active directory.\r\nMost recently, the actor claimed to have developed a credential-stealing botnet\r\ncapable of infecting high-profile targets in order to exfiltrate sensitive usernames and\r\npasswords. Fxmsp has claimed that developing this botnet and improving its\r\ncapabilities for stealing information from secured systems is their main goal.\r\nObserved\r\nSectors: Aviation, Education, Energy, Financial, Food and Agriculture, Government,\r\nManufacturing, Retail, Transportation.\r\nCountries: Australia, Brazil, Canada, Chile, China, Colombia, Cyprus, Ecuador,\r\nEgypt, El Salvador, Germany, Ghana, Hong Kong, India, Indonesia, Ireland, Italy,\r\nJamaica, Japan, Kenya, Kuwait, Malaysia, Maldives, Mexico, Netherlands, Nigeria,\r\nOman, Pakistan, Philippines, Russia, Saudi Arabia, Singapore, South Africa, South\r\nKorea, Sri Lanka, Thailand, UAE, UK, USA, Zimbabwe.\r\nTools used RDP and exposed AD.\r\nOperations performed May 2019\r\nBreaches of Three Major Anti-Virus Companies\r\n\u003chttps://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies\u003e\r\nCounter operations Jul 2020 Feds indict 'fxmsp' in connection with million-dollar hacking\r\noperation\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d6819bf-0b1d-45a8-9042-f0873e2e5227\r\nPage 1 of 2\n\nInformation\nLast change to this card: 09 December 2021\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d6819bf-0b1d-45a8-9042-f0873e2e5227\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d6819bf-0b1d-45a8-9042-f0873e2e5227\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d6819bf-0b1d-45a8-9042-f0873e2e5227" ], "report_names": [ "showcard.cgi?u=9d6819bf-0b1d-45a8-9042-f0873e2e5227" ], "threat_actors": [ { "id": "ab5dc2a3-16dc-421e-af45-d60c8b4aafac", "created_at": "2023-01-06T13:46:39.012588Z", "updated_at": "2026-04-10T02:00:03.180595Z", "deleted_at": null, "main_name": "Fxmsp", "aliases": [], "source_name": "MISPGALAXY:Fxmsp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "312b7781-5501-4c1e-a9d5-9b75e9ad8455", "created_at": "2022-10-25T16:07:24.488292Z", "updated_at": "2026-04-10T02:00:05.006738Z", "deleted_at": null, "main_name": "Fxmsp", "aliases": [ "ATK 134", "TAG-CR17" ], "source_name": "ETDA:Fxmsp", "tools": [ "RDP", "Remote Desktop Protocol" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434599, "ts_updated_at": 1775791927, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a8668ab8ac2faa8c8e0cecf317d252998bfd72fe.pdf", "text": "https://archive.orkl.eu/a8668ab8ac2faa8c8e0cecf317d252998bfd72fe.txt", "img": "https://archive.orkl.eu/a8668ab8ac2faa8c8e0cecf317d252998bfd72fe.jpg" } }