{ "id": "ae556d18-4390-4b8b-821c-f24f0a7b4804", "created_at": "2026-04-06T00:22:06.458816Z", "updated_at": "2026-04-10T03:31:46.656438Z", "deleted_at": null, "sha1_hash": "f30310d7fe61417e85b040ebe6c3d99279006397", "title": "Operation Black Atlas - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50511, "plain_text": "Operation Black Atlas - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 23:16:56 UTC\nHome \u003e List all groups \u003e Operation Black Atlas\n APT group: Operation Black Atlas\nNames Operation Black Atlas (Trend Micro)\nCountry [Unknown]\nMotivation Financial crime\nFirst seen 2015\nDescription\n(Trend Micro) With the coming holidays also come news of various credit card breaches that\nendanger the data of many industries and their customers. High-profile breaches, such as that\nof the Hilton Hotel and other similar establishments, were accomplished using point-of-sale\n(PoS) malware, leading many to fear digital threats on brick-and-mortar retailers this\nThanksgiving, Black Friday, Cyber Monday, and the rest of the holiday season. Researchers\nalso found a broad campaign that uses the modular ModPOS malware to steal payment card\ndata from retailers in the US.\nHowever, from what we have seen, it is not only retailers in the US that are at risk of breaches.\nOur researchers recently found an early version of a potentially powerful, adaptable, and\ninvisible botnet that seeks out PoS systems within networks. It has already extended its reach\nto small and medium sized business networks all over the world, including a healthcare\norganization in the US. We are calling this operation Black Atlas, in reference to BlackPOS,\nthe malware primarily used in this operation.\nOperation Black Atlas has been around since September 2015, just in time to plant its seeds\nbefore the holiday season. Its targets include businesses in the healthcare, retail, and more\nindustries which rely on card payment systems.\nObserved\nSectors: Financial, Healthcare, Hospitality, Manufacturing, Retail.\nCountries: Australia, Chile, Germany, India, Taiwan, UK, USA.\nTools used Alina POS, BlackPOS, Gorynych, ModPOS, NewPosThings.\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d9f5f715-7598-4037-a55f-a5fbc31cb14b\nPage 1 of 2\n\nLast change to this card: 24 May 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d9f5f715-7598-4037-a55f-a5fbc31cb14b\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d9f5f715-7598-4037-a55f-a5fbc31cb14b\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d9f5f715-7598-4037-a55f-a5fbc31cb14b" ], "report_names": [ "showcard.cgi?u=d9f5f715-7598-4037-a55f-a5fbc31cb14b" ], "threat_actors": [ { "id": "5c457d56-6078-4a86-ac5c-e3e91fa278e7", "created_at": "2022-10-25T16:07:23.934665Z", "updated_at": "2026-04-10T02:00:04.795018Z", "deleted_at": null, "main_name": "Operation Black Atlas", "aliases": [], "source_name": "ETDA:Operation Black Atlas", "tools": [ "Alina POS", "BlackPOS", "Diamond Fox", "DiamondFox", "FrameworkPOS", "Gorynch", "Gorynych", "Kaptoxa", "MMon", "ModPOS", "NewPosThings", "POSWDS", "Reedum", "alina_eagle", "alina_spark", "aline_joker", "katrina", "straxbot" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434926, "ts_updated_at": 1775791906, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f30310d7fe61417e85b040ebe6c3d99279006397.pdf", "text": "https://archive.orkl.eu/f30310d7fe61417e85b040ebe6c3d99279006397.txt", "img": "https://archive.orkl.eu/f30310d7fe61417e85b040ebe6c3d99279006397.jpg" } }