{
	"id": "50495822-5339-455f-a6d0-002b3c6efc1b",
	"created_at": "2026-04-06T00:09:51.344787Z",
	"updated_at": "2026-04-10T03:31:56.259748Z",
	"deleted_at": null,
	"sha1_hash": "b69c0cf384d0efddcc66f0b9ea8e4dd3eacc4ccb",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41599,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:59:55 UTC\r\n APT group: APT9\r\nNames APT9 (?)\r\nCountry [Unknown]\r\nMotivation Financial gain\r\nFirst seen 2018\r\nDescription\r\nMembers of FIN9, including the defendants, obtained unauthorized access to the\r\ncomputer networks of victim companies through phishing campaigns or other methods,\r\nsuch as supply chain attacks – a type of cyberattack that seeks to damage an\r\norganization by targeting the computer networks of trusted third-party vendors who\r\noffer services or software vital to the supply chain. After gaining access to their\r\nvictims’ networks, FIN9 members, including the defendants, used that access to\r\nexfiltrate or attempt to exfiltrate non-public information, employee benefits, and/or\r\nfunds. For example, the defendants accessed employee benefit rewards programs\r\nmaintained by their victims and re-directed digital employee benefits, such as gift\r\ncards, to accounts controlled by defendants. The defendants also stole gift card\r\ninformation stored on the computer networks of certain victims.\r\nThe defendants additionally stole personally identifiable information and credit card\r\ninformation associated with employees and customers of their victim companies. In an\r\neffort to hide their own identities, the defendants would, at times, use that information\r\nin furtherance of the conspiracy by, for example, registering online accounts at\r\ncryptocurrency exchanges or server hosting companies in the names of individuals\r\nwhose identities were stolen. Tai, Xuyen, and Truong sold stolen gift cards to third\r\nparties, including through an account registered with a fake name on a peer-to-peer\r\ncryptocurrency marketplace, in order to conceal and disguise the source of the stolen\r\nmoney.\r\nObserved\r\nTools used\r\nCounter operations Jan 2024 Four Members of Notorious Cybercrime Group ‘FIN9’ Charged for\r\nRoles in Attacking U.S. Companies\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=08faea11-6316-41ce-a1ab-36634740551e\r\nPage 1 of 2\n\n\u003chttps://www.justice.gov/usao-nj/pr/four-members-notorious-cybercrime-group-fin9-charged-roles-attacking-us-companies\u003e\r\nLast change to this card: 26 August 2024\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=08faea11-6316-41ce-a1ab-36634740551e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=08faea11-6316-41ce-a1ab-36634740551e\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=08faea11-6316-41ce-a1ab-36634740551e"
	],
	"report_names": [
		"showcard.cgi?u=08faea11-6316-41ce-a1ab-36634740551e"
	],
	"threat_actors": [
		{
			"id": "7f177406-ec53-4a0e-83b8-9876130c9e73",
			"created_at": "2024-08-28T02:02:09.350152Z",
			"updated_at": "2026-04-10T02:00:04.69275Z",
			"deleted_at": null,
			"main_name": "APT9",
			"aliases": [],
			"source_name": "ETDA:APT9",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "699b7efc-322d-489d-818d-823fac028124",
			"created_at": "2023-01-06T13:46:39.404825Z",
			"updated_at": "2026-04-10T02:00:03.315524Z",
			"deleted_at": null,
			"main_name": "APT9",
			"aliases": [
				"NIGHTSHADE PANDA",
				"Red Pegasus",
				"Group 27"
			],
			"source_name": "MISPGALAXY:APT9",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3d3b549e-b77c-4394-9eea-21ed1becc658",
			"created_at": "2025-03-29T02:05:20.759815Z",
			"updated_at": "2026-04-10T02:00:03.832731Z",
			"deleted_at": null,
			"main_name": "GOLD WINDSOR",
			"aliases": [
				"FIN9 "
			],
			"source_name": "Secureworks:GOLD WINDSOR",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434191,
	"ts_updated_at": 1775791916,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b69c0cf384d0efddcc66f0b9ea8e4dd3eacc4ccb.pdf",
		"text": "https://archive.orkl.eu/b69c0cf384d0efddcc66f0b9ea8e4dd3eacc4ccb.txt",
		"img": "https://archive.orkl.eu/b69c0cf384d0efddcc66f0b9ea8e4dd3eacc4ccb.jpg"
	}
}