{"id":1406,"date":"2025-12-05T17:46:46","date_gmt":"2025-12-05T17:46:46","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=1406"},"modified":"2025-12-05T17:46:46","modified_gmt":"2025-12-05T17:46:46","slug":"golden-boa-new-malware-operation-discovered-by-scilabs","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2025\/12\/05\/golden-boa-new-malware-operation-discovered-by-scilabs\/","title":{"rendered":"Golden Boa, new malware Operation discovered by SCILabs"},"content":{"rendered":"
\n
\"\"<\/figure><\/div>\n\n\n

The following post aims to provide information on a new malware campaign, Operation Golden Boa,<\/em> which was identified and named by SCILabs, and whose main objective is to distribute Remote Access Trojans (RATs<\/a>). It was identified in early November 2025 through threat monitoring and hunting in Latin America; however, retrohunt analysis revealed that its activity has persisted from September to November of the same year.<\/p>\n\n\n\n

SCILabs identified that this operation is primarily targeting organizations in the hospitality and tourism sectors across Latin American countries, including Argentina, Colombia, and Brazil. The attackers impersonate organizations such as Aviatur and Booking.com, using phishing emails with the pretext of alleged reservations.<\/p>\n\n\n\n

One of the campaign’s distinguishing features is that, during the delivery phase, it exploits a recently discovered vulnerability, CVE-2025-8088<\/a>, which affects WinRAR<\/a> and allows the execution of payloads using path traversal<\/a>.<\/p>\n\n\n\n

The main objective of Operation Golden Boa<\/em> is to distribute Remote Access Trojans (RATs) families such as XWorm V6<\/a><\/em> and Remcos<\/a><\/em>, whose primary purpose is to steal sensitive information of all kinds \u2014including credentials, browsing data, and stored files\u2014 as well as to enable remote control of infected computers.<\/p>\n\n\n\n

How can this affect an organization?<\/h1>\n\n\n\n

The malware variants distributed by Operation Golden Boa<\/em> can steal confidential information (such as login credentials, files stored on the computer, browsing data, and more) from all types of users, including employees of public and private entities. They also allow remote control of infected computers, so if an attack is successful within an organization, cybercriminals can leak or sell the stolen information on clandestine Dark Web forums or the black market. Furthermore, they can enable remote code execution and the delivery of new artifacts, which could trigger more sophisticated attacks such as ransomware. This would jeopardize the confidentiality, integrity, and availability of organizational systems and information, resulting in financial losses and reputational damage to clients.<\/p>\n\n\n\n

Threat context<\/h1>\n\n\n\n

In early November 2025, through threat monitoring in Latin America, SCILabs identified a phishing email that used a supposed credit card reservation as a pretext. Further investigation revealed additional emails leveraging tourism and travel-related themes, such as alleged accommodation lists, room reservations, and a supposed national tourism registry. These emails targeted accounts belonging to organizations in the hospitality and tourism sector.<\/p>\n\n\n

\n
\"\"
Figure 1. First phishing email identified<\/figcaption><\/figure><\/div>\n\n\n

In this case, the email instructs the recipient to make a reservation using a card that is supposedly attached to a compressed file. This file corresponds to the dropper that initiates the attack flow.<\/p>\n\n\n\n

During the investigation, SCILabs determined that, as with the email analyzed in this document, the operation impersonates the organizations Aviantur and Booking.com, both dedicated to travel and accommodation bookings.<\/p>\n\n\n\n

It is important to note that some of the infrastructure used in this operation belongs to legitimate websites of organizations in the hospitality and tourism sector, primarily in Latin America, that were compromised. A detailed analysis of this infrastructure is provided later in this document. Therefore, we have a high level of confidence that the identified Operation Golden Boa<\/em> is primarily aimed at affecting organizations in the hospitality and tourism sector in various Latin American countries, \u2014particularly in Colombia, Argentina, and Brazil\u2014 based on the recipients of the discovered phishing emails; however, it may also indirectly impact organizations that rely on these services.<\/p>\n\n\n\n

Technical summary<\/h1>\n\n\n\n

The phishing email contains an attachment that appears to be a RAR compressed file.<\/p>\n\n\n\n

We analyzed this attachment and determined that it is indeed a RAR file appended to the end of a PDF file.<\/p>\n\n\n

\n
\"\"
Figure 2. Code contained in the alleged compressed file<\/figcaption><\/figure><\/div>\n\n\n

This file concatenation technique<\/a> is commonly used for malware distribution; however, using PDFs with compressed files is unusual. We hypothesize, with medium confidence, that this technique is intended to evade email filtering tools, as these tools often check file signatures to detect compressed files. It is important to note that the PDF itself does not contain malicious code and it is not used during the attack flow.<\/p>\n\n\n\n

Before the RAR file decompression begins, if the user opens it, a description titled “Pol\u00edtica de seguridad y Observaciones”<\/em> related to the reservation is displayed, creating the appearance of a legitimate file. Additionally, it includes a shortcut file with a .URL<\/a> extension.<\/p>\n\n\n

\n
\"\"
Figure 3. Apparent contents of the compressed file<\/figcaption><\/figure><\/div>\n\n\n

The vulnerability CVE-2025-8088<\/a> is exploited when the user extracts the malicious RAR file (it can also occur if the user directly executes the URL file within WinRAR, since the extraction occurs automatically in %TEMP%<\/em>). This vulnerability is used to extract a hidden file from the RAR archive and store it in a location different from the extraction folder. Once the extraction occurs, the resulting URL file, in this case titled \u201cTARJETA DE CREDITO SPINI, RENE LUIS ALE – DNI 12512437.001\u201d<\/em>, and a BAT file hidden within the RAR archive named \u201cWindowsDefender.Windows.security.Identity.protection.Windows.antivirus.BaT\u201d, are stored in the public access directory (%PUBLIC%).<\/em><\/p>\n\n\n

\n
\"\"
Figure 4. Extraction paths<\/figcaption><\/figure><\/div>\n\n\n

The URL file contains junk HTML code; however, it also includes a direct link to the BAT file. Therefore, if the user executes the URL file, the BAT script will automatically run.<\/p>\n\n\n

\n
\"\"
Figure 5. URL file content<\/figcaption><\/figure><\/div>\n\n\n

Once the BAT file starts executing, the first stage of the infection begins.<\/p>\n\n\n\n

First stage of infection<\/strong><\/p>\n\n\n\n

The content of the BAT file is obfuscated by string substitution and the use of non-descriptive variables. This script has two objectives, outlined below.<\/p>\n\n\n

\n
\"\"
Figure 6. BAT file content<\/figcaption><\/figure><\/div>\n\n\n

1. The first objective is to open a link to an image stored on Google Drive. This image contains an alleged credit card from Credicoop bank in Argentina within the browser, serving as a distraction for the user. According to the email message, it is shared to make the supposed reservations.<\/p>\n\n\n

\n
\"\"
Figure 7. Image of a supposed card displayed in the browser once the BAT file is executed<\/figcaption><\/figure><\/div>\n\n\n

2. The second objective is to download and execute an artifact hosted at the URL hxxps[:]\/\/www[.]hermitagehotel[.]com[.]ar\/xml[.]txt.<\/p>\n\n\n

\n
\"\"
Figure 8. Site content that is downloaded by the BAT file<\/figcaption><\/figure><\/div>\n\n\n

The downloaded website content appears to be a PDF file due to the visible text lines; however, these lines are commented (using the “#” character), meaning they are invalid and serve only as a distraction. In reality, the downloaded file is a PowerShell script, which is executed by the BAT file using the “WindowStyle Hidden”<\/a> attribute to conceal the execution window and the “ExecutionPolicy Bypass”<\/a> attribute to bypass restrictions and warnings during execution.<\/p>\n\n\n\n

This PowerShell script is designed to execute embedded code, which is in binary format and subsequently decoded into readable ASCII<\/a> text.<\/p>\n\n\n

\n
\"\"
Figure 9. PowerShell script obtained after being deobfuscated<\/figcaption><\/figure><\/div>\n\n\n

Once the binary string is decoded, it results in a second PowerShell script, which is also obfuscated using string substitution, Base64<\/a> string encoding, string reversal, and the use of non-descriptive variables. This second script performs the tasks described below.<\/p>\n\n\n

\n
\"\"
Figure 10. Second PowerShell script decoded<\/figcaption><\/figure><\/div>\n\n\n

1. It downloads an artifact from an archive[.]org storage site (hxxp[:]\/\/ia801007[.]us[.]archive[.]org\/15\/items\/optimized_msi_20251009_2311\/optimized_MSI[.]png). This is an image with embedded code using steganography<\/a>.<\/p>\n\n\n

\n
\"\"
Figure 11. Image with embedded code using steganography<\/figcaption><\/figure><\/div>\n\n\n

2. It obtains the embedded code, decodes it from Base64, and converts it into an executable file which corresponds to a generic loader commonly used to execute malware from various XWorm, AsyncRAT<\/a><\/em> and NjRAT<\/a><\/em> campaigns, among others.<\/p>\n\n\n\n

3. The script also decodes a reversed Base64 string and obtains the URL hxxps[:]\/\/www[.]hermitagehotel[.]com[.]ar\/image[.]txt, from which it downloads its content, also encoded in Base64 and reversed.<\/p>\n\n\n

\n
\"\"
Figure 12. Encoded content of the site<\/figcaption><\/figure><\/div>\n\n\n

4. The content retrieved in the previous step is loaded by the generic loader into a legitimate process called caspol.exe<\/a>, executing a payload corresponding to the XWorm V6<\/a><\/em> malware. This version, identified in 2025, is known for its ability to receive and deploy new plugins<\/a> that allows it to perform various tasks on the infected machine. Some of these plugins could be:<\/p>\n\n\n\n