{
	"id": "61d3a5cd-0854-4d79-88db-303a4b0e5079",
	"created_at": "2026-04-06T00:15:26.898598Z",
	"updated_at": "2026-04-10T13:12:37.667173Z",
	"deleted_at": null,
	"sha1_hash": "516079a2cea303e6c9d125e30387791bda919bc3",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53811,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:22:59 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Mekotio\n Tool: Mekotio\nNames\nMekotio\nMetamorfo\nCasbaneiro\nCategory Malware\nType Banking trojan, Reconnaissance, Backdoor, Keylogger, Info stealer, Credential stealer\nDescription\n(ESET) As is common for most Latin American banking trojans, Mekotio has several typical\nbackdoor capabilities. It can take screenshots, manipulate windows, simulate mouse and\nkeyboard actions, restart the machine, restrict access to various banking websites and update\nitself. Some variants are also able to steal bitcoins by replacing a bitcoin wallet in the\nclipboard and to exfiltrate credentials stored by the Google Chrome browser. Interestingly, one\ncommand is apparently intended to cripple the victim’s machine by trying to remove all files\nand folders in C:\\Windows tree.\nInformation\nMalpedia Last change to this tool card: 23 October 2024\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a5c752a8-eefc-4ed1-9520-0e0ae67fa892\nPage 1 of 2\n\nDownload this tool card in JSON format\r\nAll groups using tool Mekotio\r\nChanged Name Country Observed\r\nUnknown groups\r\n  _[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a5c752a8-eefc-4ed1-9520-0e0ae67fa892\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a5c752a8-eefc-4ed1-9520-0e0ae67fa892\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a5c752a8-eefc-4ed1-9520-0e0ae67fa892"
	],
	"report_names": [
		"listgroups.cgi?u=a5c752a8-eefc-4ed1-9520-0e0ae67fa892"
	],
	"threat_actors": [],
	"ts_created_at": 1775434526,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/516079a2cea303e6c9d125e30387791bda919bc3.pdf",
		"text": "https://archive.orkl.eu/516079a2cea303e6c9d125e30387791bda919bc3.txt",
		"img": "https://archive.orkl.eu/516079a2cea303e6c9d125e30387791bda919bc3.jpg"
	}
}