{"id":1374,"date":"2025-06-07T00:55:56","date_gmt":"2025-06-07T00:55:56","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=1374"},"modified":"2025-06-07T00:55:56","modified_gmt":"2025-06-07T00:55:56","slug":"golden-piranha-a-new-threat-discovered-by-scilabs","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2025\/06\/07\/golden-piranha-a-new-threat-discovered-by-scilabs\/","title":{"rendered":"Golden Piranha, a new threat discovered by SCILabs"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"446\" height=\"527\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/Logo.jpg\" alt=\"\" class=\"wp-image-1398\" style=\"width:311px;height:auto\" \/><\/figure><\/div>\n\n\n<p>This report aims to describe the TTPs and provide indicators of compromise related to a new banking trojan identified and named by SCILabs as <em>Golden Piranha<\/em>. One of the characteristics of this threat is the use of malicious Google Chrome extensions to steal information entered by users in banking website forms (described later in this report). The stolen data is sent to the operators via an open WebSocket <a href=\"https:\/\/www.ionos.mx\/digitalguide\/paginas-web\/desarrollo-web\/que-es-websocket\/\" data-type=\"link\" data-id=\"https:\/\/www.ionos.mx\/digitalguide\/paginas-web\/desarrollo-web\/que-es-websocket\/\">connection<\/a>.<\/p>\n\n\n\n<p>The main objective of <em>Golden Piranha<\/em> is to steal information from financial institutions, particularly in Brazil, such as Banco do Brazil and Banco Caixa, through the <a href=\"https:\/\/www.welivesecurity.com\/la-es\/2014\/07\/11\/man-in-the-browser-como-pueden-interceptar-navegador\/\" data-type=\"link\" data-id=\"https:\/\/www.welivesecurity.com\/la-es\/2014\/07\/11\/man-in-the-browser-como-pueden-interceptar-navegador\/\">Man-in-the-Browser <\/a>technique.<\/p>\n\n\n\n<p>Although SCILabs could not recover this trojan&#8217;s initial access method, based on the evidence described in the investigation, evidence uncovered during the investigation strongly suggests that it was distributed via phishing emails that appear to be linked to the national firefighting system.<\/p>\n\n\n\n<p>Based on malware research and analysis, SCILabs determined, with a high confidence level, that the <em>Golden Piranha<\/em> campaigns observed up to this report were targeted at Brazil.<\/p>\n\n\n\n<p>Furthermore, some of the artifacts identified during the investigation and used in the infection chain have not been detected by some of the security solutions included in the VirusTotal platform, thereby increasing the risk of compromise for employees at various organizations. Companies must remain alert to this threat.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">How could <em>Golden Piranha<\/em> affect an organization?<\/h1>\n\n\n\n<p><em>Golden Piranha<\/em> can steal banking information belonging to all users, including organizational employees. If an attack within an organization is successful, cybercriminals can leak or sell stolen information on clandestine Dark Web forums or the black market, posing a threat to the \u00a0confidentiality, integrity, and availability of information and potentially causing financial and reputational losses.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Analysis<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Threat context<\/strong><\/h2>\n\n\n\n<p>Through open source intelligence processes and continuous monitoring of threats in the Latin American region, between the first and second weeks of April 2025, SCILabs identified the URL <strong>hxxps[:]\/\/almeida[.]clientepj[.]com<\/strong>, which corresponds to a site that hosted various legitimate and malicious files (described in the next section of this report), among which the different droppers used during the <em>Golden Piranha<\/em> infection chain were located.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"984\" height=\"650\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/Figura1.jpg\" alt=\"\" class=\"wp-image-1375\" style=\"width:753px;height:auto\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 1. Fragment of some files found on the storage server<\/strong><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\"><strong>Technical summary<\/strong><\/h2>\n\n\n\n<p>SCILabs analyzed all files and directories found within the storage repository used by the <em>Golden Piranha<\/em> operators, obtaining the results shown in Table 1.<\/p>\n\n\n\n<p>Among the legitimate artifacts, installers for the <a href=\"https:\/\/syncromsp.com\/blog\/what-is-remote-it-management\/\" data-type=\"link\" data-id=\"https:\/\/syncromsp.com\/blog\/what-is-remote-it-management\/\">Syncro <\/a>remote administration tool were identified, as described by SCILabs in a previous report, released in April of this year, after where its observed distribution was a malicious campaign impersonating the Attorney General&#8217;s Office (Mexico). It is also relevant to mention that adversaries have recently focused on distributing and installing remote administration tools. Hence, SCILabs hypothesizes, with a medium level of confidence, that the <em>Golden Piranha<\/em> operators may use this mechanism soon.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>File name<\/strong><strong><\/strong><\/td><td><strong>Description<\/strong><strong><\/strong><\/td><\/tr><tr><td><strong>NotaFiscal25.exe<\/strong> (SCILabs did not identify that it was used during the infection chain) <strong>Nf-e25.exe<\/strong> (SCILabs did not identify that it was used during the infection chain)<\/td><td>Legitimate binaries of Syncro Remote Manangement Tool<\/td><\/tr><tr><td><strong>nfee.exe<\/strong> (SCILabs did not identify that it was used during the infection chain) <strong>nfe010425.exe<\/strong> (SCILabs did not identify that it was used during the infection chain)<\/td><td>Legitimate <a href=\"https:\/\/www.gov.br\/esocial\/pt-br\/documentacao-tecnica\/manuais\/manual-do-usuario-esocial-web-processo-trabalhista.pdf\" data-type=\"link\" data-id=\"https:\/\/www.gov.br\/esocial\/pt-br\/documentacao-tecnica\/manuais\/manual-do-usuario-esocial-web-processo-trabalhista.pdf\">Proceso Trabalhista<\/a> executable that makes a system validation<\/td><\/tr><tr><td><strong>avast.exe<\/strong> (SCILabs did not identify that it was used during the infection chain)<\/td><td>Legitimate<a href=\"https:\/\/www.avast.com\/es-mx\/index#pc\" data-type=\"link\" data-id=\"https:\/\/www.avast.com\/es-mx\/index#pc\"> Avast installer<\/a><\/td><\/tr><tr><td><strong>bola.exe<\/strong> (SCILabs did not identify that it was used during the infection chain)<\/td><td>Binary associated with <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution\/\" data-type=\"link\" data-id=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution\/\">Amadey<\/a><\/td><\/tr><tr><td><strong>resultados.txt<\/strong><\/td><td>A plain text file with URLs most likely used by <em>Golden Piranha<\/em> operators<\/td><\/tr><tr><td><strong>naosei.msi<\/strong><\/td><td><em>Golden Piranha<\/em> dropper (explained in detail later in this report)<\/td><\/tr><tr><td><strong>NotaFiscal1.25.bat<\/strong><\/td><td><em>Golden Piranha<\/em> dropper (explained in detail later in this report)<\/td><\/tr><tr><td><strong>Proceso Trabalhista.bat<\/strong><\/td><td><em>Golden Piranha<\/em> dropper (explained in detail later in this report)<\/td><\/tr><tr><td><strong>cliente.ps1<\/strong><\/td><td><em>Golden Piranha<\/em> dropper (explained in detail later in this report)<\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\"><strong>Table 1. Description of the files found at the attacker\u2019s server by SCILabs<\/strong><\/figcaption><\/figure>\n\n\n\n<p>SCILabs could not determine the distribution of <em>Golden Piranha<\/em>; however, based on experience with similar infections and the content found in the <strong><em>resultados.txt<\/em> <\/strong>file, we believe with a high level of confidence that it is spread via mass phishing email campaigns.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"853\" height=\"480\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura2.jpg\" alt=\"\" class=\"wp-image-1376\" style=\"width:668px;height:auto\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 2. Fragment of the file resultados.txt<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>In addition to the <strong>results.txt<\/strong> file, SCILabs identified three artifacts of interest due to their content and the subsequent infection they initiate. These files correspond to the <em>Golden Piranha<\/em> droppers. Their functionalities are detailed below:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Proceso Trabalhista.bat<\/strong> and <strong>NotaFiscal1.25.bat<\/strong>: Both files have the duplicate content and correspond to the first <em>Golden Piranha<\/em> dropper. Based on the name, the hypothesis that this artifact is distributed via phishing emails, likely using pretexts related to tax bills or labor lawsuits, is reinforced.<\/li>\n<\/ul>\n\n\n\n<p>During the analysis of the malicious code, SCILabs found the following key findings:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>The comments are written in Portuguese (pt-BR).<\/li>\n\n\n\n<li>It hides the command output on the console.<\/li>\n\n\n\n<li>It checks if it is being executed with administrator\u2019s permission; otherwise, it prompts the user to execute it with the necessary permissions.<\/li>\n\n\n\n<li>It checks if PowerShell is installed on the system. If not, it attempts to install the modules <a href=\"https:\/\/learn.microsoft.com\/en-us\/nuget\/reference\/ps-reference\/ps-ref-install-package\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/nuget\/reference\/ps-reference\/ps-ref-install-package\">NuGet<\/a>, <a href=\"https:\/\/learn.microsoft.com\/es-es\/powershell\/gallery\/powershellget\/install-powershellget?view=powershellget-3.x\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/es-es\/powershell\/gallery\/powershellget\/install-powershellget?view=powershellget-3.x\">PowerShellGet <\/a>and <a href=\"https:\/\/learn.microsoft.com\/es-es\/powershell\/module\/psreadline\/about\/about_psreadline?view=powershell-7.5\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/es-es\/powershell\/module\/psreadline\/about\/about_psreadline?view=powershell-7.5\">PSReadline<\/a>.<\/li>\n\n\n\n<li>Downloads the following <em>Golden Piranha<\/em> dropper from the URL hxxps[:]\/\/enota[.]clientepj[.]com\/cliente[.]ps1.<\/li>\n\n\n\n<li>Hosts the downloaded artifact in %TEMP%.<\/li>\n\n\n\n<li>Runs the client.ps1 file in stealth mode.<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1058\" height=\"354\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura3.jpg\" alt=\"\" class=\"wp-image-1377\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 3. Fragment of code used as dropper by Golden Piranha<\/strong><\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><strong>cliente.ps1<\/strong>: PowerShell script that corresponds to the second dropper in the <em>Golden Piranha<\/em> infection. During the analysis of the malicious code, SCILabs found the following peculiarities:<\/li>\n<\/ul>\n\n\n\n<p>1.- The comments are written in Portuguese (pt-BR).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"796\" height=\"281\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura4.jpg\" alt=\"\" class=\"wp-image-1378\" style=\"width:640px;height:auto\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 4. Fragment of code used in the second dropper of Golden Piranha (language)<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>2.- It verifies if the script is not already running, allowing only one instance at a time. Otherwise, it opens a window for the victim, indicating that the process is running on the system.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1091\" height=\"482\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/Figura5.jpg\" alt=\"\" class=\"wp-image-1379\" style=\"width:951px;height:auto\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 5. Fragment of code used in the second dropper of Golden Piranha (execution verification)<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>3.- It verifies that the script is running as an administrator. If not, restart the script to request privilege escalation and bypass <a href=\"https:\/\/learn.microsoft.com\/es-es\/powershell\/module\/microsoft.powershell.core\/about\/about_execution_policies?view=powershell-7.4\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/es-es\/powershell\/module\/microsoft.powershell.core\/about\/about_execution_policies?view=powershell-7.4\">PowerShell policies<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1262\" height=\"120\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura6.jpg\" alt=\"\" class=\"wp-image-1380\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 6. Fragment of code used in the second dropper of Golden Piranha (privileges verification)<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>4.- The script creates persistence by creating a registry key inside <em>% HKEY_CURRENT_USER%PWsecurity<\/em>, which is responsible for executing the first <em>Golden Piranha<\/em> dropper during each login.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1032\" height=\"406\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/Figura8.jpg\" alt=\"\" class=\"wp-image-1382\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 7. Fragment of code used in the second dropper of Golden Piranha (persistence generation)<\/strong><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"925\" height=\"217\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura7.jpg\" alt=\"\" class=\"wp-image-1381\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 8. Persistence generated by Golden Piranha<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>5.- Disables User Account Control (<a href=\"https:\/\/answers.microsoft.com\/es-es\/windows\/forum\/all\/activar-o-desactivar-el-control-de-cuentas-de\/46cacd85-b45d-4fbf-bec7-d51dcf14f8a0\" data-type=\"link\" data-id=\"https:\/\/answers.microsoft.com\/es-es\/windows\/forum\/all\/activar-o-desactivar-el-control-de-cuentas-de\/46cacd85-b45d-4fbf-bec7-d51dcf14f8a0\">UAC<\/a>), thereby preventing unauthorized access.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1153\" height=\"176\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura9.jpg\" alt=\"\" class=\"wp-image-1383\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 9. Fragment of code used in the second dropper of Golden Piranha (UAC modification)<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>6.- The script verifies that Google Chrome is installed on the infected device to ensure the malicious extension can be installed. Without this browser, the malware cannot complete its infection chain.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1033\" height=\"393\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura10.jpg\" alt=\"\" class=\"wp-image-1384\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 10. Fragment of code used in the second dropper of Golden Piranha (Google Chrome validation)<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>7.- It obtains operating system information, such as distribution, version, and IP address. Using a counter, it is then sent and logged to the attacker&#8217;s command and control server.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1192\" height=\"770\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura11.jpg\" alt=\"\" class=\"wp-image-1385\" style=\"width:876px;height:auto\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 11. Fragment of code used in the second dropper of Golden Piranha (OS information)<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>8.- SCILabs identified that one of the main characteristics of this malware is verifying the existence of the <a href=\"https:\/\/warsaw1.software.informer.com\/\" data-type=\"link\" data-id=\"https:\/\/warsaw1.software.informer.com\/\">Warsaw<\/a> service, a security module that acts as a <a href=\"https:\/\/azure.microsoft.com\/es-es\/resources\/cloud-computing-dictionary\/what-is-middleware\" data-type=\"link\" data-id=\"https:\/\/azure.microsoft.com\/es-es\/resources\/cloud-computing-dictionary\/what-is-middleware\">middleware <\/a>between the web browser and banking services. It is currently installed automatically when visiting online banking sites from Brazilian banks, including Banco do Brasil, Caixa Econ\u00f3mica Federal, Ita\u00fa Unibanco, Bradesco, Santander Brasil, among others.<\/p>\n\n\n\n<p>That said, SCILabs determined with high level of confidence that the <em>Golden Piranha<\/em> campaign is specifically targeting Brazil, particularly banks that use the Warsaw security module.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"853\" height=\"251\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura12.jpg\" alt=\"\" class=\"wp-image-1386\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 12. Fragment of code used in the second dropper of Golden Piranha (Warsaw validation)<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>9.- Finally, the malware downloads the malicious extension, forces its installation into Google Chrome, and restarts the browser for the changes to take effect.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1175\" height=\"89\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura13.jpg\" alt=\"\" class=\"wp-image-1387\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 13. Fragment of code used in the second dropper of Golden Piranha (malicious extension installation)<\/strong><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>naosei.msi<\/strong>: In addition to the two previous <em>Golden Piranha<\/em> droppers, SCILabs identified a file with an MSI extension named &#8220;naosei&#8221; within the malware storage server. Its purpose is to install the malicious Google Chrome extension without downloading it directly from a repository or the Google Chrome app store, as the installation file is embedded in the MSI file.<\/li>\n<\/ul>\n\n\n\n<p>Considering the above, the <em>Golden Piranha<\/em> distribution method likely involves either the previously identified droppers or just the MSI file, which serves the same purpose.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"688\" height=\"403\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura14.jpg\" alt=\"\" class=\"wp-image-1388\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 14. Installation files of the malicious extension embedded in the MSI file<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>According to the analysis conducted by SCILabs, the malicious extension is named &#8220;Seguran\u00e7a PJ,&#8221; with version 101.701.15 and the identifier <strong>nplfchpahihleeejpjmodggckakhglee<\/strong>. Its description purportedly describes a security diagnosis for clients (legal entities). It was published in March 2025.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"630\" height=\"100\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura15.jpg\" alt=\"\" class=\"wp-image-1389\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 15. <a href=\"https:\/\/chrome-stats.com\/d\/lkpiodmpjdhhhkdhdbnncigggodgdfli\" data-type=\"link\" data-id=\"https:\/\/chrome-stats.com\/d\/lkpiodmpjdhhhkdhdbnncigggodgdfli\">Malicious extension<\/a> data related to the publication<\/strong><br><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1001\" height=\"274\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura16.jpg\" alt=\"\" class=\"wp-image-1390\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 16. Appearance and description of Golden Piranha malicious extension<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>It is essential to note that, as of this report&#8217;s release, the potential threat actor behind this malicious extension has two published developments, both in 2025 (one in January and the other in March), totaling more than 700 users.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"489\" height=\"140\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura17.jpg\" alt=\"\" class=\"wp-image-1391\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 17. Malicious extensions developer information<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>On the other hand, it is worth noting that both developments have similar names (&#8220;Diagnostico Seguran\u00e7a PJ&#8221; and &#8220;Seguran\u00e7a PJ&#8221;), referring to security diagnostics. Furthermore, the source code, behavior for both is the same. Therefore, from now on, only one source code will be described.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"616\" height=\"284\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura18.jpg\" alt=\"\" class=\"wp-image-1392\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 18. Extensiones maliciosas de Golden Piranha<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>The malicious extension has various default permissions, including the ability to read browsing history, block content on any page, read and modify all data on the websites the victim visits, and access payment controllers. These permissions enable attackers to obtain and manipulate a wide range of information, particularly data associated with banking sites.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1082\" height=\"322\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura19.jpg\" alt=\"\" class=\"wp-image-1393\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 19. Default privileges of the malicious extension of Golden Piranha<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>Additionally, the following relevant findings were obtained regarding the extension:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The extension monitors all outgoing browser requests, especially those using the POST method.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It listens for banking portal information that includes the following routes, and then analyzes the headers and bodies of those requests to extract sensitive information.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\/login<\/li>\n\n\n\n<li>\/login\/token<\/li>\n\n\n\n<li>\/armazenar-senha-conta<\/li>\n\n\n\n<li>\/aapj\/consultas\/<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1240\" height=\"290\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura20.jpg\" alt=\"\" class=\"wp-image-1394\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 20. Code fragment of the malicious extension (routes monitoring)<\/strong><\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>If the URL contains the path\/login, \/armazenar-senha-conta, or \/login\/token, the <a href=\"https:\/\/developer.mozilla.org\/es\/docs\/Web\/API\/Fetch_API\" data-type=\"link\" data-id=\"https:\/\/developer.mozilla.org\/es\/docs\/Web\/API\/Fetch_API\">fetch<\/a> method extracts the password (senhaContaSelecao), contract number (numeroContratoOrigem), and source dependency (dependenciaOrigem) parameters.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"521\" height=\"191\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura21.jpg\" alt=\"\" class=\"wp-image-1395\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 21. Code fragment of the malicious extension (variables dedicated to extract information)<\/strong><\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>If the URL contains the path\/aapj\/consultas\/, it extracts the same data but does so using the <a href=\"https:\/\/developer.mozilla.org\/es\/docs\/Web\/API\/FormData\" data-type=\"link\" data-id=\"https:\/\/developer.mozilla.org\/es\/docs\/Web\/API\/FormData\">formData<\/a> API.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1176\" height=\"162\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura22.jpg\" alt=\"\" class=\"wp-image-1396\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 22. Code fragment of the malicious extension (data extraction using formData)<\/strong><\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Finally, the data obtained is packaged and sent to the <em>Golden Piranha<\/em> operators&#8217; command and control server.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1190\" height=\"106\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/figura24.jpg\" alt=\"\" class=\"wp-image-1397\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 23. Code fragment of the malicious extension (Command and control server)<\/strong><\/figcaption><\/figure>\n\n\n\n<p>1. The victim receives a phishing email that impersonates the site bomberirocivil.com.br, using as a pretext an alleged security inspection visit.<\/p>\n\n\n\n<p>2. Email likely contains a hyperlink or button directing to an automatic download site that delivers the first <em>Golden Piranha<\/em> dropper.<\/p>\n\n\n\n<p>3. In the first case, the dropper is an MSI file that contains the malicious extension embedded in the file and then installs it. In the second case, the first dropper is a BAT-type batch file that, when executed, downloads a PowerShell script.<\/p>\n\n\n\n<p>3.1 The PowerShell script scans the victim&#8217;s system. If it is success, it installs the malicious extension.<\/p>\n\n\n\n<p>4. The extension waits to obtain information from banking portals containing the following paths, subsequently analyzing the headers and bodies of these requests to extract sensitive information.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/login<\/li>\n\n\n\n<li>\/login\/token<\/li>\n\n\n\n<li>\/armazenar-senha-conta<\/li>\n\n\n\n<li>\/aapj\/consultas<\/li>\n<\/ul>\n\n\n\n<p>5. If the URL contains the path \/login, \/armazenar-senha-conta, or \/login\/token, the fetch method extracts the password (senhaContaSelecao), contract number (numeroContratoOrigem), and source dependency (dependenciaOrigem) parameters.<\/p>\n\n\n\n<p>6. If the URL contains the path \/aapj\/consultas\/, it extracts the same data but does so using the formData API.<\/p>\n\n\n\n<p>7. The obtained data is packaged and sent to the <em>Golden Piranha<\/em> operators&#8217; command and control server.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Flow chart of <em>Golden Piranha<\/em> attack<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1260\" height=\"741\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/flow.jpg\" alt=\"\" class=\"wp-image-1403\" \/><figcaption class=\"wp-element-caption\"><strong>Figure 24. Flow chart of <em>Golden Piranha<\/em> attack<\/strong><\/figcaption><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Observed TTPs aligned to MITRE ATT&amp;CK\u00ae framework<\/h1>\n\n\n\n<p>The following TTPs (except the initial access method) were obtained through malware analysis processes performed by SCILabs.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1133\" height=\"596\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2025\/06\/tabla2.jpg\" alt=\"\" class=\"wp-image-1399\" \/><figcaption class=\"wp-element-caption\"><strong>Table 2. Observed TTPs aligned to ATT&amp;CK\u00ae framework<\/strong><\/figcaption><\/figure><\/div>\n\n\n<h1 class=\"wp-block-heading\">Assessment<\/h1>\n\n\n\n<p>SCILabs considers <em>Golden Piranha<\/em> a significant threat in the region due to its infection techniques. It specifically targets online banking users in Brazil by verifying the installation of WarSaw on compromised systems. Furthermore, it evades defense mechanisms by modifying artifact execution policies and has a low detection rate for some devices, making it difficult for victims to detect.<\/p>\n\n\n\n<p>Based on the evidence collected during this investigation, SCILabs determined, with high confidence, that this threat primarily targets users and banks in Brazil. However, given the high rate newly released extensions, its activity may soon expand to other Latin American countries, including Mexico. Furthermore, based on the artifacts and infrastructure analyzed, it is believed that <em>Golden Piranha<\/em> will continue to be present in the region (specifically in Brazil) in the coming months, utilizing a similar attack flow in its campaigns, but making minor modifications to its infrastructure and TTPs.<\/p>\n\n\n\n<p>Institutions and businesses must monitor TTPs updates and indicators of compromise to reduce the risk of infection and mitigate the impact of banking information theft on their operations.<\/p>\n\n\n\n<p>SCILabs will continue monitoring the activity of this malware and providing IoCs to obtain the initial access method, strengthen customer security, and provide timely notification of future campaigns involving this threat.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>RECOMMENDATIONS TO PREVENT OR REDUCE THE IMPACT OF <em>GOLDEN PIRANHA<\/em> INFECTIONS<\/strong><\/h2>\n\n\n\n<p>Based on the analysis, SCILabs makes the following recommendations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Conduct awareness campaigns about social engineering techniques and the campaigns used by attackers to distribute this type of malware.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Have strict policies regarding using and installing add-ons or extensions in the organization&#8217;s web browsers, especially Google Chrome.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Conduct constant monitoring for malicious add-ons or extensions in your organization&#8217;s browsers, especially related to supposed security checks.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Conduct threat hunting on the organization&#8217;s devices for suspicious registry keys, especially those named <em>%HKEY_CURRENT_USER%\\PWsecurity<\/em> used by <em>Golden Piranha<\/em>.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Verify the legitimacy, source, and developer of the extensions you authorize in your organization, even if found in the official browser stores.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add the indicators of compromise reflected in this research to your security solutions.<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">To feed your cybersecurity tools<\/h1>\n\n\n\n<p>The following indicators were obtained from malware analysis conducted by SCILabs, so they have a <strong>HIGH<\/strong> level of confidence.<\/p>\n\n\n\n<p><strong>Hashes SHA256<\/strong><\/p>\n\n\n\n<p>AF1E5E929840FD80927B420C46B3EAF1F52FC74A8A2936EAE7F4A764791DDA99<\/p>\n\n\n\n<p>84463241F0B57598E336497A4F221F2B2A447EEA56EE37A9A14F48A2AF800029<\/p>\n\n\n\n<p>53B4EE35CFCDB0AF3A33DCCA4198C4F835371BBE68A38370E2189D58A13B3754<\/p>\n\n\n\n<p>F349010A752484DF873C6B00F9949BD986052E28660FB9DA4D50A9FE6546A61F<\/p>\n\n\n\n<p>F349010A752484DF873C6B00F9949BD986052E28660FB9DA4D50A9FE6546A61F<\/p>\n\n\n\n<p>499BDED154151CB3B4CAD7D15DE043BEC60C8689F70FE8739FAFB6AEF9C711F1<\/p>\n\n\n\n<p><strong>URL of generation phishing sites<\/strong><\/p>\n\n\n\n<p>hxxp[:]\/\/futebolmilionario[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/sepidehbakht[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/htmedia[.]net\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/apixlogistica[.]it\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/smartworkafrica[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/grahamtrott[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/htmedia[.]net\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/adlabs[.]live\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/mykorsaa[.]online\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/gemherald[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/accioretmoi[.]fr\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/imen44[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/rerum[.]lt\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/danke2[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/adlabs[.]live\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/arkutec[.]cl\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/artamnet[.]ir\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/danke2[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/futebolmilionario[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/proexcorp[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/vchot[.]ru\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/connectingdisorders[.]org\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/plaridge[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/aznar[.]ir\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/artamnet[.]ir\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/jknewsnation[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/eurotrain71[.]ru\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/rdonkk[.]com[.]ua\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/agenciametadesign[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/eurotrain71[.]ru\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/htmedia[.]net\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/malhasvitoria[.]com[.]br\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/rnpapeles[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/foraj-piloti[.]ro\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/damadesign[.]co\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/sharlot[.]com[.]co\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/arkutec[.]cl\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/futebolmilionario[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/samerelsharkawy[.]net\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/clinicadentalargarate[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/pousadacasabonita[.]com[.]br\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/cercledesoie[.]fr\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/futebolmilionario[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/staffsound[.]com[.]mx\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/macskavar[.]hu\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/agenciametadesign[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/notalone[.]online\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/savannaplaza[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/villasol[.]pl\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/koalahouse[.]edu[.]vn\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/atlas-dental[.]kz\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/avvakumovanata[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/cashellkitchensandbaths[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/nuk[.]vn\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/olivierweiter[.]eu\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/sellodeempresa[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/grahamtrott[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/ekoclima[.]cl\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/treomay[.]vn\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/itmind[.]lk\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/cashellkitchensandbaths[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/nicholasmarley[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/foraj-piloti[.]ro\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/ekoclima[.]cl\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/sellodeempresa[.]es\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/aznar[.]ir\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/lescoeurssains[.]fr\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/zumangn[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/koalahouse[.]edu[.]vn\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/koalahouse[.]com[.]vn\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/koalahouse[.]edu[.]vn\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/koalahouse[.]com[.]vn\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/nicholasmarley[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/malhasvitoria[.]com[.]br\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/imen44[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/helpvenezuelanow[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/mykorsaa[.]online\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/gemherald[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/clinicadentalargarate[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/connectingdisorders[.]org\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/dinosvault[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/newcovenantoffaithchurch[.]org\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/bestbikeshopsinamerica[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/aydintepeheritage[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/avr[.]pl\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/nuk[.]vn\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/aznar[.]ir\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/artamnet[.]ir\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/explosionwebs[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/samerelsharkawy[.]net\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/sellodeempresa[.]es\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/sellodeempresa[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/sellodeempresa[.]es\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/sellodeempresa[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/sepidehbakht[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/playstacja[.]pl\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/sharlot[.]com[.]co\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/smartworkafrica[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/sika-dealer[.]ru\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/rnpapeles[.]site\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/rnpapeles[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/mmcsitalia[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/staffsound[.]com[.]mx\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/nicholasmarley[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/rdonkk[.]com[.]ua\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/villasol[.]pl\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/vinucuoitretho[.]org\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/notalone[.]online\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/chefderarmee[.]ch\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/savannaplaza[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/treomay[.]vn\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/pousadacasabonita[.]com[.]br\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/usmiku[.]cz\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/vchot[.]ru\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/mmcsitalia[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/notalone[.]online\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/wiusbso[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/playstacja[.]pl\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/global4web[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/agenciametadesign[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/danke2[.]com\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p>hxxp[:]\/\/connectingdisorders[.]org\/about[.]php?key=EnigmaCyberSecurity<\/p>\n\n\n\n<p><strong>Download URL<\/strong><\/p>\n\n\n\n<p>hxxps[:]\/\/enota[.]clientepj[.]com\/cliente[.]ps1<\/p>\n\n\n\n<p>hxxps[:]\/\/almeida.clientepj[.]com<\/p>\n\n\n\n<p><strong>Command and Control server<\/strong><\/p>\n\n\n\n<p>hxxps[:]\/\/almeida.clientepj[.]com\/almeida\/contador[.]php<\/p>\n\n\n\n<p><strong>Identification numbers of malicious extensions<\/strong><\/p>\n\n\n\n<p>Nplfchpahihleeejpjmodggckakhglee<\/p>\n\n\n\n<p>lkpiodmpjdhhhkdhdbnncigggodgdfli<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This report aims to describe the TTPs and provide indicators of compromise related to a new banking trojan identified and<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,4],"tags":[8,9,14,15,18],"class_list":["post-1374","post","type-post","status-publish","format-standard","hentry","category-campaign","category-malware","tag-banker","tag-banking-trojan","tag-latam","tag-malware","tag-trojan"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=1374"}],"version-history":[{"count":6,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1374\/revisions"}],"predecessor-version":[{"id":1454,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1374\/revisions\/1454"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=1374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=1374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=1374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}