Tag: brazil

17 Attack Reports | 0 Vulnerabilities

Attack reports

Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp

The Water Saci campaign in Brazil is using advanced techniques to deliver banking trojans through WhatsApp. The attack chain involves various file formats and scripting languages, designed to bypass detection and increase analysis complexity. Attackers have transitioned from PowerShell to Python fo…
backdoor
python
whatsapp
powershell
casbaneiro
metamorfo
banking trojan
brazil
anti-sandbox
2025-12-02
ai-enhanced
multi-format attacks
Published: December 2, 2025
Downloadable IOCs: 0

The Mystery OAST Host Behind a Regionally Focused Exploit Operation

A long-running, attacker-operated OAST service on Google Cloud has been observed driving a focused exploit operation. The actor combines stock Nuclei templates with custom payloads to expand their reach. All observed activity targeted canaries deployed in Brazil, indicating a deliberate regional fo…
exploit
brazil
google cloud
CVE-2025-4428
CVE-2025-2611
2025-11-28
oast
fastjson
regional targeting
nuclei
scanning infrastructure
Published: November 28, 2025
Linked vulnerabilities : CVE-2025-4428, CVE-2025-2611 (CVSS 9.3)
Downloadable IOCs: 9

Brazilian Campaign: Spreading the Malware via WhatsApp

A massive phishing campaign targeting Brazil is spreading malware through WhatsApp Web using an open-source automation script and loading a banking trojan into memory. The attack begins with a phishing email containing a malicious VBS script that downloads and executes an MSI file and another VBS f…
phishing
whatsapp
autoit
banking trojan
brazil
in-memory execution
selenium
sorvepotel
2025-11-24
water-saci
Published: November 24, 2025
Downloadable IOCs: 5

New Banking Trojan Identified, Distributed Through WhatsApp

A new banking Trojan dubbed Eternidade Stealer has been identified, distributed through WhatsApp hijacking and social engineering. The malware, written in Delphi, uses IMAP to retrieve C2 addresses dynamically. It's spread via a WhatsApp worm campaign using a Python script. The attack chain involve…
social engineering
whatsapp
credential theft
banking trojan
brazil
delphi
2025-11-20
eternidade stealer
imap
Published: November 20, 2025
Linked vulnerabilities : CVE-2025-59287 (CVSS 9.8)
Downloadable IOCs: 23

Analyzing the Link Between Two Evolving Brazilian Banking Trojans

This intelligence report examines the connection between two Brazilian banking trojans, Maverick and Coyote. The malware spreads through WhatsApp, using a multi-stage attack that begins with a malicious LNK file. Both trojans share similarities in their infection methods, targeting Brazilian users …
obfuscation
whatsapp
powershell
.net
banking trojan
brazil
multi-stage attack
coyote
2025-11-12
maverick
Published: November 12, 2025
Downloadable IOCs: 9

Brazilian Caminho Loader Employs LSB Steganography and Fileless Execution to Deliver Multiple Malware Families Across South America, Africa, and Eastern Europe

A new malware loader called Caminho, originating from Brazil, has been identified using steganography to hide .NET payloads in image files hosted on legitimate platforms. Active since March 2025, the campaign has evolved significantly, delivering various malware types across South America, Africa, …
xworm
steganography
africa
brazil
remcos rat
fileless execution
eastern europe
katz stealer
south america
loader-as-a-service
2025-10-22
caminho loader
Published: October 22, 2025
Downloadable IOCs: 0

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)

SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more…
malware
loader
phishing
whatsapp
powershell
persistence
brazil
c server
lnk file
telegram
format
2025-10-06
whatsapp web
water saci
bradesco
brazilian
turn
watsonclient
sorvepotel
Published: October 6, 2025
Downloadable IOCs: 23

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users

SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more…
malware
loader
phishing
whatsapp
powershell
persistence
brazil
c server
lnk file
telegram
format
2025-10-06
whatsapp web
water saci
bradesco
brazilian
turn
watsonclient
sorvepotel
Published: October 6, 2025
Downloadable IOCs: 0

PhantomCard: New NFC-driven Android malware emerging in Brazil

A new Android Trojan called PhantomCard is targeting banking customers in Brazil, with potential for global expansion. The malware relays NFC data from victims' banking cards to fraudsters' devices, enabling unauthorized transactions. Distributed through fake 'Google Play' pages as a 'card protecti…
malware-as-a-service
brazil
banking fraud
2025-08-14
btmob
phantomcard
ghostspy
card protection
android trojan
nfc relay
Published: August 14, 2025
Downloadable IOCs: 2

GenAI Used to Impersonate Brazil's Government Websites

Threat actors are leveraging generative AI tools like DeepSite AI and BlackBox AI to create phishing templates that closely mimic official Brazilian government websites, such as the State Department of Traffic and Ministry of Education. These malicious replicas are boosted in search results using S…
phishing
seo poisoning
brazil
government impersonation
2025-08-08
deepsite ai
blackbox ai
pix payment
generative ai
Published: August 8, 2025
Downloadable IOCs: 7

LegionLoader exposed!

LegionLoader, also known as Satacom, CurlyGate, and RobotDropper, is an active downloader malware that has gained significant traction recently, amassing over 2,000 samples in weeks. The campaign appears to have started on December 19, 2024, with Brazil being the most affected country. The malware …
brazil
downloader
drive-by download
anti-sandbox
msi
multi-stage
legionloader
robotdropper
2025-02-10
satacom
dll injection
curlygate
Published: February 10, 2025
Downloadable IOCs: 108

Grandoreiro banking trojan: overview of recent versions and new tricks

Grandoreiro is a Brazilian banking trojan that has evolved into a global financial threat, targeting over 1,700 banks and 276 crypto wallets in 45 countries. Despite law enforcement efforts, the malware remains active, with new versions featuring enhanced evasion techniques like multiple Domain Gen…
credential theft
remote access
grandoreiro
banking trojan
brazil
evasion techniques
2024-10-22
financial malware
global threat
Published: October 22, 2024
Downloadable IOCs: 0

Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign Targeting Brazil With Astaroth Malware

Water Makara, a threat actor group, is targeting enterprises in Brazil with a spear phishing campaign using the Astaroth banking malware. The attackers employ obfuscated JavaScript to bypass security defenses, often impersonating official tax documents to trick users. The campaign primarily affects…
brazil
lnk files
2024-10-15
astaroth
spear phishing
domain generation algorithm
tax documents
obfuscated javascript
banking malware
Published: October 15, 2024
Downloadable IOCs: 0

Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal

This analysis uncovers a significant infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities. The attackers, likely the 8220 Gang, exploit CVE-2017-10271 and CVE-2020-14883 to deploy malware including K4Spreader, Tsunami backdoor, and cryptominers. The infection …
china
botnet
cryptomining
brazil
pwnrig
tsunami
k4spreader
weblogic
hadooken
2024-10-01
CVE-2017-10271
CVE-2020-14883
Published: October 1, 2024
Linked vulnerabilities : CVE-2023-46604, CVE-2020-14883, CVE-2017-10271
Downloadable IOCs: 62

The trojan horse that wanted to fly

Rocinante is a new strain of mobile malware originating from Brazil, capable of keylogging, stealing PII through phishing, and performing device takeover. It targets Brazilian banking institutions using a combination of Firebase messaging, HTTP traffic, WebSocket, and Telegram API for communication…
phishing
remote access
banking trojan
brazil
keylogging
mobile malware
2024-09-02
device takeover
hook
rocinante
ermac
Published: September 2, 2024
Downloadable IOCs: 4

New banking trojan “CarnavalHeist” targets Brazil with overlay attacks

Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan dubbed 'CarnavalHeist'. The malware employs common tactics like financial-themed spam emails, Delphi-based DLLs, overlay attacks, and input capture techniques like keylogging and screen capture. Ho…
trojan
banking
2024-05-31
brazil
keylogging
overlay
access_pc_client.dll
carnavalheist
Published: May 31, 2024
Downloadable IOCs: 61

AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America

Earlier in May, a security product detected a malicious payload aimed at stealing credentials required to access Brazilian bank accounts. The payload, named AllaSenha, is a variant of the infamous AllaKore RAT, leveraging Azure cloud infrastructure for command and control. It is specifically design…
trojan
banking
2024-05-31
brazil
allakore
azure
allasenha
stealing
credential
Published: May 31, 2024
Downloadable IOCs: 61
Click here to see more Attack Reports