{ "id": "f981fd10-1f2a-4e69-8d72-dfc7cbc85f88", "created_at": "2026-04-06T00:17:01.562661Z", "updated_at": "2026-04-10T03:36:16.813096Z", "deleted_at": null, "sha1_hash": "ee799a8d36a5d7bb09176adf87295902998c3aaf", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49834, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:35:57 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool RawPOS\n Tool: RawPOS\nNames\nRawPOS\nFIENDCRY\nDUEBREW\nDRIFTWOOD\nCategory Malware\nType POS malware, Backdoor, Info stealer\nDescription\n(Trend Micro) Despite being one of the oldest Point-of-Sale (PoS) RAM scraper\nmalware families out in the wild, RawPOS (detected by Trend Micro as\nTSPY_RAWPOS) is still very active today, with the threat actors behind it primarily\nfocusing on the lucrative multibillion-dollar hospitality industry. While the threat actor’s\ntools for lateral movement, as well as RawPOS’ components, remain consistent, new\nbehavior from the malware puts its victims at greater risk via potential identity theft.\nSpecifically, this new behavior involves RawPOS stealing the driver’s license\ninformation from the user to aid in the threat group’s malicious activities.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 25 May 2020\nDownload this tool card in JSON format\nAll groups using tool RawPOS\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=72670111-f95a-423c-a296-f424939cc08e\nPage 1 of 2\n\nAPT groups\r\n  FIN5 [Unknown] 2008  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=72670111-f95a-423c-a296-f424939cc08e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=72670111-f95a-423c-a296-f424939cc08e\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=72670111-f95a-423c-a296-f424939cc08e" ], "report_names": [ "listgroups.cgi?u=72670111-f95a-423c-a296-f424939cc08e" ], "threat_actors": [ { "id": "fa3bc740-8ffc-4a49-a78f-e1f6d0d85c2b", "created_at": "2022-10-25T15:50:23.528058Z", "updated_at": "2026-04-10T02:00:05.374772Z", "deleted_at": null, "main_name": "FIN5", "aliases": [ "FIN5" ], "source_name": "MITRE:FIN5", "tools": [ "Windows Credential Editor", "PsExec", "FLIPSIDE", "pwdump", "SDelete", "RawPOS" ], "source_id": "MITRE", "reports": null }, { "id": "7e5e725c-4de5-4e14-a702-d84d23d973e9", "created_at": "2023-01-06T13:46:38.965779Z", "updated_at": "2026-04-10T02:00:03.165531Z", "deleted_at": null, "main_name": "FIN5", "aliases": [ "G0053" ], "source_name": "MISPGALAXY:FIN5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "820ea41f-a798-4eb9-b296-530b784c1adc", "created_at": "2022-10-25T16:07:23.613805Z", "updated_at": "2026-04-10T02:00:04.688029Z", "deleted_at": null, "main_name": "FIN5", "aliases": [ "G0053" ], "source_name": "ETDA:FIN5", "tools": [ "DRIFTWOOD", "DUEBREW", "FIENDCRY", "FLIPSIDE", "RawPOS", "SDelete", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "pwdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434621, "ts_updated_at": 1775792176, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ee799a8d36a5d7bb09176adf87295902998c3aaf.pdf", "text": "https://archive.orkl.eu/ee799a8d36a5d7bb09176adf87295902998c3aaf.txt", "img": "https://archive.orkl.eu/ee799a8d36a5d7bb09176adf87295902998c3aaf.jpg" } }