{
	"id": "ad1d476c-c3b2-4e24-accf-79cd5225af48",
	"created_at": "2026-04-06T00:15:49.929993Z",
	"updated_at": "2026-04-10T13:11:47.09762Z",
	"deleted_at": null,
	"sha1_hash": "df9edde16f62f9c418143cf744353a00dbf6d01d",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51386,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 12:53:07 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BadHatch\n Tool: BadHatch\nNames BadHatch\nCategory Malware\nType POS malware, Backdoor, Info stealer\nDescription\n(Trend Micro) Security researchers found threat group FIN8 reappearing after two years\nwith a new point-of-sale (PoS) malware named Badhatch, which is designed to steal\ncredit card information. Researchers from Gigamon analyzed the sample and found\nsimilarities with PunchBuggy, but Badhatch features new capabilities that allow it to\nscan for victim networks, provide attackers with remote access, install a backdoor, and\ndeliver other modified malware payloads such as PoSlurp and PunchBuggy, among\nother features.\nBadhatch begins infection much like its predecessor PowerSniff, by sending a\ncustomized phishing email via a weaponized Word document. Once the victim enables\nthe macros, it executes PowerShells and shellcode scripts for PowerSniff, installing a\nbackdoor in the process. Its network scan capability makes it different from PowerSniff;\nit is unable to check if the systems infected is in the education or healthcare sector. The\nresearchers also noted that it lacks the sandbox detection and anti-virus analysis evasion\nfeatures, as well as the long-term persistence tools that its predecessor had. However,\nthey note that this also serves as an advantage as the attackers can execute the routine\nafter infection and have greater control on how the malware can be used, thereby\navoiding automated sandboxing features.\nInformation\nMITRE ATT\u0026CK Malpedia https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=360e808f-3592-4d9f-a9f5-26302044f37f\nPage 1 of 2\n\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:BADHATCH\u003e\r\nLast change to this tool card: 30 June 2025\r\nDownload this tool card in JSON format\r\nAll groups using tool BadHatch\r\nChanged Name Country Observed\r\nAPT groups\r\n  FIN8 [Unknown] 2016-Dec 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=360e808f-3592-4d9f-a9f5-26302044f37f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=360e808f-3592-4d9f-a9f5-26302044f37f\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=360e808f-3592-4d9f-a9f5-26302044f37f"
	],
	"report_names": [
		"listgroups.cgi?u=360e808f-3592-4d9f-a9f5-26302044f37f"
	],
	"threat_actors": [
		{
			"id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c",
			"created_at": "2025-08-07T02:03:24.910023Z",
			"updated_at": "2026-04-10T02:00:03.713077Z",
			"deleted_at": null,
			"main_name": "GOLD HUXLEY",
			"aliases": [
				"CTG-6969 ",
				"FIN8 "
			],
			"source_name": "Secureworks:GOLD HUXLEY",
			"tools": [
				"Gozi ISFB",
				"Powersniff"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5bdde906-0416-42ee-9100-5ebd95dda77a",
			"created_at": "2023-01-06T13:46:38.601977Z",
			"updated_at": "2026-04-10T02:00:03.035842Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"ATK113",
				"G0061"
			],
			"source_name": "MISPGALAXY:FIN8",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "72d09c17-e33e-4c2f-95db-f204848cc797",
			"created_at": "2022-10-25T15:50:23.832551Z",
			"updated_at": "2026-04-10T02:00:05.336787Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"FIN8",
				"Syssphinx"
			],
			"source_name": "MITRE:FIN8",
			"tools": [
				"BADHATCH",
				"PUNCHBUGGY",
				"Ragnar Locker",
				"PUNCHTRACK",
				"dsquery",
				"Nltest",
				"Sardonic",
				"PsExec",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "fc80a724-e567-457c-82bb-70147435e129",
			"created_at": "2022-10-25T16:07:23.624289Z",
			"updated_at": "2026-04-10T02:00:04.691643Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"ATK 113",
				"G0061",
				"Storm-0288",
				"Syssphinx"
			],
			"source_name": "ETDA:FIN8",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BadHatch",
				"BlackCat",
				"Noberus",
				"PSVC",
				"PUNCHTRACK",
				"PoSlurp",
				"Powersniff",
				"PunchBuggy",
				"Ragnar Loader",
				"Ragnar Locker",
				"RagnarLocker",
				"Sardonic",
				"ShellTea"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434549,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/df9edde16f62f9c418143cf744353a00dbf6d01d.pdf",
		"text": "https://archive.orkl.eu/df9edde16f62f9c418143cf744353a00dbf6d01d.txt",
		"img": "https://archive.orkl.eu/df9edde16f62f9c418143cf744353a00dbf6d01d.jpg"
	}
}