VERY IMPORTANT

Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan dubbed 'CarnavalHeist'. The malware employs common tactics like financial-themed spam emails, Delphi-based DLLs, overlay attacks, and input capture techniques like keylogging and screen capture. However, it uniquely uses a Python-based loader for DLL injection and specifically targets Brazilian banking applications. Talos attributes the development and operation of CarnavalHeist to Brazilian actors identified through operational mistakes during domain registration. The campaign has been active since at least February 2024, and the trojan is still under active development.