{
	"id": "6efb35bd-50d8-496a-8f77-fd16b4890504",
	"created_at": "2026-04-06T00:21:04.305658Z",
	"updated_at": "2026-04-10T13:12:09.0596Z",
	"deleted_at": null,
	"sha1_hash": "f766cda4ca266b418a98c1d65a105b3851878316",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51048,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:54:16 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool FastPOS\n Tool: FastPOS\nNames FastPOS\nCategory Malware\nType POS malware, Backdoor, Keylogger, Credential stealer\nDescription\n(Trend Micro) How do the components make the entire system work? The main file extracts\nall components and passes control to the main service (serv32.exe). The main service creates\nand monitors a central communication medium and directly sends all received information to\nthe C\u0026C server. The keylogger components (Kl32.exe/Kl64.exe) hook the keyboard then\ncommunicate with the main service to send logged keystrokes to the C\u0026C server. The RAM\nscraper modules monitor processes and scan for credit card track data, which are then sent to\nthe main service.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 02 August 2020\nDownload this tool card in JSON format\nAll groups using tool FastPOS\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=367c3161-847f-4f81-a69f-d70fa65db070\nPage 1 of 2\n\nOther groups\r\n  Infraud Organization [Various] 2010-Jul 2020\r\n1 group listed (0 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=367c3161-847f-4f81-a69f-d70fa65db070\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=367c3161-847f-4f81-a69f-d70fa65db070\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=367c3161-847f-4f81-a69f-d70fa65db070"
	],
	"report_names": [
		"listgroups.cgi?u=367c3161-847f-4f81-a69f-d70fa65db070"
	],
	"threat_actors": [
		{
			"id": "43cfcac9-ab2f-4f7d-ad3b-b2c09fb672b5",
			"created_at": "2022-10-25T16:07:24.499018Z",
			"updated_at": "2026-04-10T02:00:05.012584Z",
			"deleted_at": null,
			"main_name": "Infraud Organization",
			"aliases": [
				"Operation Shadow Web"
			],
			"source_name": "ETDA:Infraud Organization",
			"tools": [
				"FastPOS"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434864,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f766cda4ca266b418a98c1d65a105b3851878316.pdf",
		"text": "https://archive.orkl.eu/f766cda4ca266b418a98c1d65a105b3851878316.txt",
		"img": "https://archive.orkl.eu/f766cda4ca266b418a98c1d65a105b3851878316.jpg"
	}
}