{ "id": "d5b3eaee-1f5c-4c9a-a216-7b24cd41ea12", "created_at": "2026-04-06T00:10:54.056435Z", "updated_at": "2026-04-10T03:30:33.828729Z", "deleted_at": null, "sha1_hash": "e5223dfad7d396b751954a34cb06576439deeecf", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50031, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 10:43:29 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PixStealer\n Tool: PixStealer\nNames\nPixStealer\nBrazKing\nCategory Malware\nType Banking trojan, Info stealer, Credential stealer\nDescription\n(Check Point) The PixStealer malware’s internal name is “Pag Cashback 1.4″. It was\ndistributed on Google Play as a fake PagBank Cashback service and targeted only the\nBrazilian PagBank.\nThe package name com.pagcashback.beta indicates the application might be in the beta stage.\nPixStealer uses a “less is more” technique: as a very small app with minimum permissions and\nno connection to a C\u0026C, it has only one function: transfer all of the victim’s funds to an actor-controlled account.\nWith this approach, the malware cannot update itself by communicating with a C\u0026C, or steal\nand upload any information about the victims, but achieves the very important goal: to stay\nundetectable.\nInformation\nMalpedia Last change to this tool card: 27 December 2022\nDownload this tool card in JSON format\nAll groups using tool PixStealer\nChanged Name Country Observed\nUnknown groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=57ed45f3-db97-4bb6-a5f6-cb83a1f0fc16\nPage 1 of 2\n\n_[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=57ed45f3-db97-4bb6-a5f6-cb83a1f0fc16\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=57ed45f3-db97-4bb6-a5f6-cb83a1f0fc16\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=57ed45f3-db97-4bb6-a5f6-cb83a1f0fc16" ], "report_names": [ "listgroups.cgi?u=57ed45f3-db97-4bb6-a5f6-cb83a1f0fc16" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434254, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5223dfad7d396b751954a34cb06576439deeecf.pdf", "text": "https://archive.orkl.eu/e5223dfad7d396b751954a34cb06576439deeecf.txt", "img": "https://archive.orkl.eu/e5223dfad7d396b751954a34cb06576439deeecf.jpg" } }