{
	"id": "64dcaa34-76b8-45b5-a81e-1ea2ccf12634",
	"created_at": "2026-04-06T00:10:48.08312Z",
	"updated_at": "2026-04-10T03:21:55.980426Z",
	"deleted_at": null,
	"sha1_hash": "b9b9e5ae53d8019866626396e7b4168a8e568f36",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46777,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:17:35 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool FiXS\n Tool: FiXS\nNames FiXS\nCategory Malware\nType ATM malware\nDescription\n(Metabase Q) Metabase Q recently identified a new malware that is currently affecting\nMexican banks. Due to it’s code name in the binary, we dubbed it FiXS.\nIt is not clear yet what the vector for the initial infection is. However, since FiXS utilizes an\nexternal keyboard (similar to Ploutus), we anticipate that it follows a similar methodology. In\nthe case of Ploutus, a person with access to these teller machines physically connects an\nexternal keyboard to to the ATM for the attack to commence.\nSo far, we have identified some key relevant characteristics of FiXS malware:\n• It instructs the ATM to dispense money 30 minutes after the last ATM reboot\n• It is hidden inside another not-malicious-looking program\n• It is vendor-agnostic targeting any ATM that supports CEN XFS\n• It interacts with the crooks via external keyboard\n• It waits for the Cassettes to be loaded to start dispensing\n• It contains Russian metadata\nInformation Last change to this tool card: 25 April 2023\nDownload this tool card in JSON format\nAll groups using tool FiXS\nChanged Name Country Observed\nUnknown groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7b095e59-1cfa-4d33-9ebe-c6b5df3d8fe9\nPage 1 of 2\n\n_[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7b095e59-1cfa-4d33-9ebe-c6b5df3d8fe9\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7b095e59-1cfa-4d33-9ebe-c6b5df3d8fe9\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7b095e59-1cfa-4d33-9ebe-c6b5df3d8fe9"
	],
	"report_names": [
		"listgroups.cgi?u=7b095e59-1cfa-4d33-9ebe-c6b5df3d8fe9"
	],
	"threat_actors": [],
	"ts_created_at": 1775434248,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9b9e5ae53d8019866626396e7b4168a8e568f36.pdf",
		"text": "https://archive.orkl.eu/b9b9e5ae53d8019866626396e7b4168a8e568f36.txt",
		"img": "https://archive.orkl.eu/b9b9e5ae53d8019866626396e7b4168a8e568f36.jpg"
	}
}