{ "id": "ffc8e51c-5b34-4874-b332-422790a5d6e3", "created_at": "2026-04-06T00:08:41.87779Z", "updated_at": "2026-04-10T03:28:40.727559Z", "deleted_at": null, "sha1_hash": "c9523bad27f234fbef974d0f23eb04fbd43a03e9", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49044, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:19:51 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool TinyPOS\n Tool: TinyPOS\nNames TinyPOS\nCategory Malware\nType POS malware, Backdoor, Info stealer\nDescription\n(Forcepoint) It all starts with the delivery of a small loader called TinyLoader, an\nobfuscated executable withsimple -yet powerful- downloader functionality. Upon\nexecution, it will first brute force its own decryption key (a 32-bit value, meaning this\ntakes a fraction of second on modern PCs) before using this to decrypt the main program\ncode.\nCode-wise the POS component is very similar to the loader, except there is no additional\nencryption, as whenever it is delivered the operators are almost certain -due to the pre-filtering above- that a valuable target has been identified.\nThis component works like any other POS memory scraper: opening processes based on\neither a predefined black or whitelist of process names, creating a new thread for each\nmatching one and scanning their full memory range for Track 1 and Track 2 credit card\ndata. If such data is found, first it will be verified by the Luhn algorithm for integrity, then\nit will be encrypted by a pre-defined key (another 32 or 64-bit value stored in the POS\nbinary itself) and either sent to yet another C2 identified, again, by IP/port combination or\nit will be saved locally.\nInformation\nAlienVault OTX Last change to this tool card: 26 May 2020\nDownload this tool card in JSON format\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2698c733-ab93-4b51-acc8-3265209d0005\nPage 1 of 2\n\nAll groups using tool TinyPOS\r\nChanged Name Country Observed\r\nAPT groups\r\n  Tiny Spider [Unknown] 2015-2017  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2698c733-ab93-4b51-acc8-3265209d0005\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2698c733-ab93-4b51-acc8-3265209d0005\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2698c733-ab93-4b51-acc8-3265209d0005" ], "report_names": [ "listgroups.cgi?u=2698c733-ab93-4b51-acc8-3265209d0005" ], "threat_actors": [ { "id": "168848e1-54f8-43ba-b3f1-650be9b08081", "created_at": "2023-01-06T13:46:38.913608Z", "updated_at": "2026-04-10T02:00:03.143639Z", "deleted_at": null, "main_name": "TINY SPIDER", "aliases": [], "source_name": "MISPGALAXY:TINY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ab0b3abd-7947-4a56-a03a-a3fd1009d89f", "created_at": "2022-10-25T16:07:24.326862Z", "updated_at": "2026-04-10T02:00:04.93806Z", "deleted_at": null, "main_name": "Tiny Spider", "aliases": [], "source_name": "ETDA:Tiny Spider", "tools": [ "PinkKite", "PsExec", "TinyLoader", "TinyPOS" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434121, "ts_updated_at": 1775791720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c9523bad27f234fbef974d0f23eb04fbd43a03e9.pdf", "text": "https://archive.orkl.eu/c9523bad27f234fbef974d0f23eb04fbd43a03e9.txt", "img": "https://archive.orkl.eu/c9523bad27f234fbef974d0f23eb04fbd43a03e9.jpg" } }