{ "id": "9dfee64b-78fb-470c-a682-c42206cc4016", "created_at": "2026-04-06T00:18:48.345594Z", "updated_at": "2026-04-10T03:30:57.044732Z", "deleted_at": null, "sha1_hash": "f64c6909c11f321c688deb0c499d3abf2bb02c01", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50127, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:42:33 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Backoff\r\n Tool: Backoff\r\nNames\r\nBackoff\r\nBackoff POS\r\nCategory Malware\r\nType POS malware, Reconnaissance, Backdoor, Keylogger, Credential stealer, Botnet\r\nDescription\r\n(Trend Micro) Backoff – a successor of Alina POS (aka Track) whose variants are known for\r\nscanning all running processes to retrieve card track data and gather affected system\r\ninformation, Backoff, uses the same installation technique used in the Alina family of PoS\r\nRAM-scraping malware. Based on our research, Backoff implements an updated data search\r\nfunction and drops a watchdog process to ensure that it continuously runs in the system.\r\nDiscovered by the US Computer Emergency Readiness Team (US CERT), this PoS malware\r\ntargeted the US. Interestingly, we saw a clear decrease of hits during “dead hours” specifically\r\nat 2:00 AM, and an apparent recurring rise of hits at 10:00 AM. This trend follows regular\r\nbusiness operation hours wherein PoS devices are more likely to be active and in use.\r\nGenerally, the hits increase during business hours and decline during off-hours.\r\nInformation\r\n\u003chttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware\u003e\r\n\u003chttps://www.us-cert.gov/ncas/alerts/TA14-212A\u003e\r\n\u003chttps://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.backoff\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Backoff\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6dc5bc96-090e-4f1d-904a-bf9d92766450\r\nPage 1 of 2\n\nUnknown groups\r\n  _[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6dc5bc96-090e-4f1d-904a-bf9d92766450\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6dc5bc96-090e-4f1d-904a-bf9d92766450\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6dc5bc96-090e-4f1d-904a-bf9d92766450" ], "report_names": [ "listgroups.cgi?u=6dc5bc96-090e-4f1d-904a-bf9d92766450" ], "threat_actors": [ { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434728, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f64c6909c11f321c688deb0c499d3abf2bb02c01.pdf", "text": "https://archive.orkl.eu/f64c6909c11f321c688deb0c499d3abf2bb02c01.txt", "img": "https://archive.orkl.eu/f64c6909c11f321c688deb0c499d3abf2bb02c01.jpg" } }