{
	"id": "4a977612-f352-4081-b686-ea34f74a627d",
	"created_at": "2026-04-06T01:30:00.818935Z",
	"updated_at": "2026-04-10T03:20:46.059161Z",
	"deleted_at": null,
	"sha1_hash": "0b2d1d5d24e25e33aa0f58d0b28a11bf3a3925de",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44397,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 00:55:37 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CarnavalHeist\n Tool: CarnavalHeist\nNames CarnavalHeist\nCategory Malware\nType Banking trojan\nDescription\n(Talos) Talos assesses with high confidence that the CarnavalHeist malware is of Brazilian\norigin and primarily targets Brazilian users based on our observations of the Portuguese\nlanguage being used throughout all aspects of the infection chain and the malware itself,\nincluding the use of Brazilian slang to describe some bank names, and a notable lack of other\nlanguage variants thus far. The command and control (C2) infrastructure exclusively uses the\nBrazilSouth availability zone on Microsoft Azure to control infected machines, and they\nspecifically target prominent Brazilian financial institutions.\nInformation Last change to this tool card: 19 June 2024\nDownload this tool card in JSON format\nAll groups using tool CarnavalHeist\nChanged Name Country Observed\nUnknown groups\n _[ Interesting malware not linked to an actor yet ]_\n1 group listed (0 APT, 0 other, 1 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=136242a6-310c-466b-98a7-5c7cf9888bfc\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=136242a6-310c-466b-98a7-5c7cf9888bfc\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=136242a6-310c-466b-98a7-5c7cf9888bfc"
	],
	"report_names": [
		"listgroups.cgi?u=136242a6-310c-466b-98a7-5c7cf9888bfc"
	],
	"threat_actors": [],
	"ts_created_at": 1775439000,
	"ts_updated_at": 1775791246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b2d1d5d24e25e33aa0f58d0b28a11bf3a3925de.pdf",
		"text": "https://archive.orkl.eu/0b2d1d5d24e25e33aa0f58d0b28a11bf3a3925de.txt",
		"img": "https://archive.orkl.eu/0b2d1d5d24e25e33aa0f58d0b28a11bf3a3925de.jpg"
	}
}