{
	"id": "f95e7c1a-32e1-4276-9ab8-64cced24b5df",
	"created_at": "2026-04-06T00:09:21.577992Z",
	"updated_at": "2026-04-10T03:20:44.392588Z",
	"deleted_at": null,
	"sha1_hash": "38ff28c29b98fea6a51a96564f4e88eadf8b85bb",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47952,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:46:29 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool TOITOIN\r\n Tool: TOITOIN\r\nNames TOITOIN\r\nCategory Malware\r\nType Banking trojan, Backdoor, Info stealer, Credential stealer\r\nDescription\r\n(Zscaler) In the ever-evolving landscape of cyber threats, researchers from Zscaler ThreatLabz\r\nhave recently uncovered a concerning development: a new targeted attack campaign striking\r\nbusinesses in the Latin American (LATAM) region. This sophisticated campaign employs a\r\ntrojan that follows a multi-staged infection chain, utilizing specially crafted modules\r\nthroughout each stage. These modules are custom designed to carry out malicious activities,\r\nsuch as injecting harmful code into remote processes, circumventing User Account Control via\r\nCOM Elevation Moniker, and evading detection by Sandboxes through clever techniques like\r\nsystem reboots and parent process checks. The ultimate payload of this campaign is a new\r\nLatin American Trojan called TOITOIN, which incorporates a unique XOR decryption\r\ntechnique to decode its configuration file. Once decrypted, the trojan gathers crucial system\r\ninformation, as well as data pertaining to installed browsers and the Topaz OFD Protection\r\nModule, before sending it to the command and control server of the attackers in an encoded\r\nformat.\r\nInformation\r\n\u003chttps://www.zscaler.com/blogs/security-research/toitoin-trojan-analyzing-new-multi-stage-attack-targeting-latam-region\u003e\r\nLast change to this tool card: 05 September 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool TOITOIN\r\nChanged Name Country Observed\r\nUnknown groups\r\n  _[ Interesting malware not linked to an actor yet ]_  \r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=75cbad82-cb51-401e-ac27-4cc29b29b1c3\r\nPage 1 of 2\n\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=75cbad82-cb51-401e-ac27-4cc29b29b1c3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=75cbad82-cb51-401e-ac27-4cc29b29b1c3\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=75cbad82-cb51-401e-ac27-4cc29b29b1c3"
	],
	"report_names": [
		"listgroups.cgi?u=75cbad82-cb51-401e-ac27-4cc29b29b1c3"
	],
	"threat_actors": [],
	"ts_created_at": 1775434161,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38ff28c29b98fea6a51a96564f4e88eadf8b85bb.pdf",
		"text": "https://archive.orkl.eu/38ff28c29b98fea6a51a96564f4e88eadf8b85bb.txt",
		"img": "https://archive.orkl.eu/38ff28c29b98fea6a51a96564f4e88eadf8b85bb.jpg"
	}
}