{ "id": "271655bc-3908-4b8c-b01c-93e4f694be60", "created_at": "2026-04-06T00:16:11.897487Z", "updated_at": "2026-04-10T03:36:00.15232Z", "deleted_at": null, "sha1_hash": "fbe34b7e34b7d2ae604ad679998b2f03dd2cbf5a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49636, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:37:24 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PsiXBot\n Tool: PsiXBot\nNames\nPsiXBot\nPsiX\nCategory Malware\nType Backdoor, Keylogger, Credential stealer, Info stealer, Downloader, Miner\nDescription\n(Fox-IT) The malware first surfaced in 2017 but has recently undergone significant\ndevelopments of its core and modules, which include the logging of keystrokes and\nstealing of Outlook and browser credentials. With these new developments done and the\nfirst large scale distributions observed in the wild, PsiXBot has officially made its debut in\nthe malware ecosystem.\nThe commands currently supported are:\n• Download\n• DownloadAndExecute\n• Execute\n• GetInstalledSoft\n• GetKeylogs\n• GetOutlook\n• GetProcessesList\n• GetScreenShot\n• GetSteallerCookies\n• GetSteallerPasswords\n• StartAndroidModule\n• StartBTC\n• StartComplexModule\n• StartKeylogger\n• StartNewComplexModule\n• StartSchedulerModule\n• StopProcess\nInformation\n\nhttps-and-possible-new-sexploitation-module\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.psix\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:psixbot\u003e\r\nLast change to this tool card: 28 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool PsiXBot\r\nChanged Name Country Observed\r\nOther groups\r\n  TA554 [Unknown] 2017  \r\n1 group listed (0 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9fe9b905-2db4-49c2-81c1-4112c720f893\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9fe9b905-2db4-49c2-81c1-4112c720f893\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9fe9b905-2db4-49c2-81c1-4112c720f893" ], "report_names": [ "listgroups.cgi?u=9fe9b905-2db4-49c2-81c1-4112c720f893" ], "threat_actors": [ { "id": "a3808e4f-c7fd-4d25-aa84-aacc27061826", "created_at": "2023-01-06T13:46:39.316216Z", "updated_at": "2026-04-10T02:00:03.285437Z", "deleted_at": null, "main_name": "TA554", "aliases": [ "TH-163" ], "source_name": "MISPGALAXY:TA554", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9be98f84-4a93-41c7-90bd-3ea66ba5bfd7", "created_at": "2022-10-25T16:07:24.581954Z", "updated_at": "2026-04-10T02:00:05.040995Z", "deleted_at": null, "main_name": "TA554", "aliases": [ "TH-163" ], "source_name": "ETDA:TA554", "tools": [ "DarkVNC", "Godzilla", "Godzilla Loader", "Gootkit", "Gootloader", "Gozi ISFB", "ISFB", "LOLBAS", "LOLBins", "Living off the Land", "Nimnul", "Pandemyia", "PsiX", "PsiXBot", "Ramnit", "StarsLord", "Waldek", "Xswkit", "sLoad", "talalpek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434571, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fbe34b7e34b7d2ae604ad679998b2f03dd2cbf5a.pdf", "text": "https://archive.orkl.eu/fbe34b7e34b7d2ae604ad679998b2f03dd2cbf5a.txt", "img": "https://archive.orkl.eu/fbe34b7e34b7d2ae604ad679998b2f03dd2cbf5a.jpg" } }