{"id":1567,"date":"2026-06-22T18:37:13","date_gmt":"2026-06-22T18:37:13","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=1567"},"modified":"2026-06-22T18:39:04","modified_gmt":"2026-06-22T18:39:04","slug":"blue-gryphus-rat-new-remote-access-banking-trojan","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2026\/06\/22\/blue-gryphus-rat-new-remote-access-banking-trojan\/","title":{"rendered":"Blue Gryphus RAT: New Remote Access Banking Trojan"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

OVERVIEW<\/h2>\n\n\n\n

The purpose of this blog is to provide information about a new Remote Access Trojan (RAT<\/a>), with banking Trojan capabilities, discovered by SCILabs and named Blue Gryphus RAT<\/em>. This Trojan’s activity was identified during the first months of 2026, and it was distributed as end-user malware in a campaign by the Red Akodon<\/em> threat group, primarily targeting users in Colombia.<\/p>\n\n\n\n

Continuous monitoring indicates that this threat remained active, at least until May, with an increasing number of active samples observed. This campaign has been distributed primarily via phishing emails using pretexts related to Windows updates or legal matters.  <\/p>\n\n\n\n

We also have a high-confidence hypothesis that this threat is closely related to the operations of the Red Akodon<\/em> threat group, in which other types of Trojans are distributed alongside the Blue Gryphus RAT<\/em>; for example, RemcosRAT<\/a><\/em>.<\/p>\n\n\n\n

This blog is intended to describe the functionality and capabilities of the Trojan identified by SCILabs.<\/p>\n\n\n\n

How might this threat affect an organization?<\/h3>\n\n\n\n

Blue Gryphus RAT<\/em> primarily functions as a Remote Access Trojan designed to remotely monitor and control the devices of infected users to steal sensitive information. Furthermore, its browser credential theft and banking Trojan capabilities allow Blue Gryphus RAT<\/em> to steal sensitive information from all types of users, including employees of organizations. If an attack is successful within an organization, cybercriminals can leak or sell the stolen information on clandestine forums of the Dark Web or on the black market. This information can then be used to carry out more sophisticated and dangerous attacks such as ransomware, jeopardizing the integrity, confidentiality, and availability of the organization’s information, as well as causing financial and reputational losses.<\/p>\n\n\n\n

ANALYSIS<\/h2>\n\n\n\n

Threat context<\/h3>\n\n\n\n

During monitoring conducted by SCILabs, following the Red Akodon<\/em> campaign distributing the Blue Gryphus RAT<\/em> identified in March, we observed various artifacts associated with droppers distributing this remote access banking trojan. These were identified in different formats, including highly obfuscated JavaScript, VBS, and PowerShell scripts, employing techniques such as vague function and variable names, character swapping, and garbage code, among others, as well as the use of plaintext files encrypted with AES<\/a>.<\/p>\n\n\n\n

Although we have not yet determined the delivery method, we have a moderate level of confidence that it is being delivered via phishing emails, given its connection to Red Akodon<\/em>. These emails may use purported legal notifications and Windows updates as pretexts, with the dropper names containing strings such as “LEGAL NOTIFICATION LAWSUIT” or “Windows Update,” among others.<\/p>\n\n\n\n

\"\"
Figure 1. Content of a JavaScript file that functions as a Blue Gryphus RAT<\/em> dropper<\/figcaption><\/figure>\n\n\n\n

The goal of these droppers is to download and execute the Blue Gryphus RAT<\/em> trojan as a payload.<\/p>\n\n\n\n

Technical Summary<\/strong><\/h3>\n\n\n\n

The samples corresponding to this Trojan are developed with the .NET Framework, usually loaded by the droppers described above, but initially calling the Main()<\/strong> function of the Trojan executable, which performs different actions for the malware to work. To facilitate your understanding, we have structured them in the following 2 stages.<\/p>\n\n\n\n

\"\"
Figure 2. Segment of the \u201cMain()\u201d function<\/figcaption><\/figure>\n\n\n\n

First stage<\/strong><\/h4>\n\n\n\n

This stage focuses on preparing the device for infection. First, using the SetProcessDPIAware()<\/strong> and SetProcessDpiAwareness()<\/strong> functions, it establishes the malware’s ability to handle high DPI<\/a> pixel density scales (this is done to maintain a controlled appearance in the interface while creating forms for data theft).<\/p>\n\n\n\n

It creates a MUTEX to prevent multiple samples from the same campaign from infecting the same device. The MUTEX uses a format whose string consists of \u201cNexusRAT_\u201d+[8 hexadecimal characters]+[connection port to the C2].<\/p>\n\n\n\n

It is important to mention that, despite the presence of the string \u201cNexusRAT\u201d in different samples, we have not yet identified a relationship between this threat and the Android banking trojan of the same name<\/a>.<\/p>\n\n\n\n

\"\"
Figure 3. MUTEX name in different samples<\/figcaption><\/figure>\n\n\n\n

Next, it establishes the necessary values \u200b\u200bfor connecting to the C2 server, such as the HOST, port, and a TAG (possibly set by the operators to differentiate infected computers in their campaign). It’s worth noting that, both in the case of the TAGs and in the filenames of several samples found, we also identified the strings \u201cAMARRE,\u201d \u201cSostener,\u201d \u201cENV\u00cdO,\u201d \u201cnuevorat,\u201d \u201cmisarchivos,\u201d and \u201cDios,\u201d among others. This suggests that most of the operators of this Trojan are Spanish-speaking.<\/p>\n\n\n\n

\"\"
Figure 4. Some strings in Spanish were found in a sample<\/figcaption><\/figure>\n\n\n\n

Next, it creates a directory named \u201cWindowsUpdate\u201d within %APPDATA%<\/em> or in the directory where the sample is running and saves a copy of itself named \u201cWindowsUpdate.exe\u201d. Finally, it establishes persistence using one of the following two methods:<\/p>\n\n\n\n

1. By scheduling a task to run the malicious \u201cWindowsUpdate.exe\u201d with the following command, which can overwrite any existing task named \u201cWindowsUpdate\u201d and runs every minute.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

2. By creating a copy of the malicious executable named \u201cWindowsUpdate.exe\u201d in the %STARTUP%<\/em> directory.<\/p>\n\n\n\n

It executes a function named AdminBypass()<\/strong> that has 2 objectives:<\/p>\n\n\n\n

1. Evades Windows Defender, adding the root directory C:\\ <\/em>as an exclusion, through the creation of a PowerShell script that is saved in %TEMP%<\/em> with the name \u201cex_[random 5-digit number].ps1\u201d and executed with the options \u201c-ExecutionPolicy Bypass\u201d, \u201c-WindowStyle Hidden\u201d, \u201c-NoProfile\u201d, \u201c-NonInteractive\u201d, and then immediately deleted.<\/p>\n\n\n\n

\"\"
Figure 5. PowerShell script embedded in the Trojan executable<\/figcaption><\/figure>\n\n\n\n

2. Performs UAC bypass by creating a PowerShell script that is saved in %TEMP%<\/em> with the name \u201cuac_[5-digit random number].ps1\u201d. This serves to modify the HKLM\\SOFTWARE\\ Microsoft\\Windows\\CurrentVersion\\Policies\\System<\/em> registry and is deleted immediately after being executed with the same PowerShell options as in the previous script.<\/p>\n\n\n\n

\"\"
Figure 6. PowerShell script to disable UAC<\/figcaption><\/figure>\n\n\n\n

Once these tasks are completed, the second stage begins.<\/p>\n\n\n\n

Second stage<\/h4>\n\n\n\n

This stage begins with the execution of a continuous \u201cwhile\u201d loop to run the Connect()<\/strong> function, waiting for a response from the server. The operation of Connect()<\/strong> is described below.<\/p>\n\n\n\n

1. It initiates a TCP connection to the HOST and port established in the first stage if it receives any response (other than a null one) and confirms the connection from C2. It is important to note that this connection is not made using the HTTP protocol or any known TCP protocol. Instead, this Trojan uses its own protocol, named in the code as NetProtocol48<\/strong>, which we will detail later in this document.<\/p>\n\n\n\n

2. Once the connection is established, the Trojan sends a string to register the machine using the Send()<\/strong> function of the NetProtocol48<\/strong> protocol. This string contains concatenated machine data, including: the operating system version, machine name, username, whether the current user is admin, the TAG (a string defined in the code to distinguish the campaign), and an identifier for the infected machine.<\/p>\n\n\n\n

\"\"
Figure 7. Segment of the Connect() function<\/figcaption><\/figure>\n\n\n\n

3. After the first transmission, the connection remains in a waiting state until a message is received from the C2 server, at which point the registration is completed; otherwise, an error message is displayed. In addition to the registration, a list of active antivirus programs on the computer is generated and, if at least one is present, this list is sent to the C2 server.<\/p>\n\n\n\n

\"\"
Figure 8. Function segment for antivirus detection<\/figcaption><\/figure>\n\n\n\n

Finally, the \u201cwhile\u201d loop continues, waiting for the C2 server to send a message until the Recv()<\/strong> function receives the data sent by the operators through this Trojan’s characteristic protocol, NetProtocol48<\/strong>, and executes the actions corresponding to the different commands. From this point on, the Trojan functions fully as a remote access tool to the infected computer.<\/p>\n\n\n\n

NetProtocol48<\/strong><\/h4>\n\n\n\n

As mentioned previously, Blue Gryphus RAT<\/em> uses its own TCP communication protocol, with the following defined functions:<\/p>\n\n\n\n

    \n
  • Send(): <\/strong>sends data using as arguments a \u201cstream\u201d \u2014to define the size of the message\u2014, a \u201ctype\u201d \u2014which is defined by the operators\u2014, a set of bytes called \u201cdata\u201d and \u201cwriteLock\u201d \u2014which works as a lock to prevent problems if several threads are active at the same time\u2014.<\/li>\n<\/ul>\n\n\n\n
    \"\"
    Figure 9. Send() function<\/figcaption><\/figure>\n\n\n\n
      \n
    • SendText():<\/strong> It receives the parameters \u201cstream\u201d, \u201ctype\u201d, \u201ctext\u201d, \u201cwriteLock\u201d, used in the call to the Send()<\/strong> function, only entering \u201ctext\u201d as a set of Bytes.<\/li>\n<\/ul>\n\n\n\n
      \"\"
      Figure 11. SendText() function<\/figcaption><\/figure>\n\n\n\n
        \n
      • SendFast(): <\/strong>It is similar to the Send()<\/strong> function, with the same parameters, only differing in the copy function to maximize the speed of sending data.<\/li>\n<\/ul>\n\n\n\n
        \"\"
        Figure 11. SendFast() function<\/figcaption><\/figure>\n\n\n\n
          \n
        • ReadExact():<\/strong> is a method that ensures it reads the exact byte number entered as an argument and, while it has not finished reading all the bytes, it will continue until it finishes or when it has the byte number \u201c0\u201d; at that moment, it closes the connection.<\/li>\n<\/ul>\n\n\n\n
          \"\"
          Figure 12. ReadExact() function<\/figcaption><\/figure>\n\n\n\n
            \n
          • Read():<\/strong> It receives data using the arguments \u201cstream\u201d \u2014of indefinite size\u2014, a \u201ctype\u201d \u2014which is defined by the operators\u2014 and a set of bytes called \u201cdata\u201d. As an initial step, it reads the first 4 bytes of the stream with the ReadExact()<\/strong> function; this is to know the total size of the message (which must be in these bytes). Then, it reads the rest of the message also with the ReadExact()<\/strong> function.<\/li>\n<\/ul>\n\n\n\n
            \"\"
            Figure 13. Read() function<\/figcaption><\/figure>\n\n\n\n

            Commands<\/strong><\/h4>\n\n\n\n

            The commands received by the RAT are handled by the Handle()<\/strong> function, which does not read a text string as commands, but integers, so the commands originally sent by the operators are integer values.<\/p>\n\n\n\n

            \"\"
            Figure 14. Segment of the Handle() function that sets the value of the commands and their function<\/figcaption><\/figure>\n\n\n\n

            The translation of these values \u200b\u200bis observed in a class of the code called Nexus.Common<\/strong>, assigning the respective integer value to a variable of the command name.<\/p>\n\n\n\n

            \"\"
            Figure 15. Segment of the program where values \u200b\u200band commands are set<\/figcaption><\/figure>\n\n\n\n

            Below is a table showing the integer value of each command, its name, and the action it performs. Commands labeled “*Not Implemented*” indicate that the function exists but is not yet received by the main function, possibly because these samples are still under development.<\/p>\n\n\n\n

            Value<\/strong><\/td>Command<\/strong><\/td>Functionality<\/strong><\/td><\/tr>
            1<\/td>HELLO<\/td>Introduction for connecting the C2 server to the infected computer.<\/td><\/tr>
            2<\/td>HELLO_OK<\/td>Response to the presentation for connecting to the C2 server<\/td><\/tr>
            3<\/td>PING<\/td>Request to find out if the remote equipment is active.<\/td><\/tr>
            4<\/td>PONG<\/td>Response that the current equipment is active.<\/td><\/tr>
            5<\/td>ABE_REQUEST<\/td>Check the payload (executable) status to obtain browser information.<\/td><\/tr>
            6<\/td>ABE_PAYLOAD<\/td>Run the payload (executable) to obtain browser information.<\/td><\/tr>
            7<\/td>GET_CARDS<\/td>*Not implemented*<\/td><\/tr>
            8<\/td>CARDS_DATA<\/td>*Not implemented*<\/td><\/tr>
            9<\/td>GET_IBANS<\/td>*Not implemented*<\/td><\/tr>
            10<\/td>IBANS_DATA<\/td>*Not implemented*<\/td><\/tr>
            11<\/td>GET_TOKENS<\/td>*Not implemented*<\/td><\/tr>
            12<\/td>TOKENS_DATA<\/td>*Not implemented*<\/td><\/tr>
            13-15,25-29, 36 y 38<\/td>KL_[subcommand]<\/td>All of these allow the execution of commands from the corresponding Trojan’s KL module with the capture of banking data, for example, KL_BANK_IMAGES, which downloads bank images that will be used to impersonate the official website.<\/td><\/tr>
            16-24<\/td>RDP_[subomando]<\/td>All of these perform RDP service functions on the infected computer, for example, RDP_START to start the service or RDP_MOUSE to access the mouse of the infected computer.<\/td><\/tr>
            30, 31, 37 y 55-63<\/td>HVNC_[subcommand]<\/td>All of these allow the execution of commands from the Trojan’s HVNC module, for example, HVNC_CLIPBOARD_SET, which modifies the clipboard contents.<\/td><\/tr>
            32-35<\/td>SHELL_[subcommand]<\/td>They are used to execute the subcommand on the infected computer, for example, SHELL_START, which starts a command line terminal.<\/td><\/tr>
            39-46<\/td>BTC_[subcommand]<\/td>They all allow you to execute commands from the BTC module that performs Chromium-based browser tab manipulation, for example, to slow down, stop, or simulate data loss using the Chrome DevTools Protocol (CDP).<\/td><\/tr>
            48<\/td>GET_PROCESSES<\/td>Returns the running processes on the infected computer.<\/td><\/tr>
            49<\/td>PROCESS_LIST<\/td>*Not implemented*<\/td><\/tr>
            50<\/td>KILL_PROCESS<\/td>Eliminates a process that is passed to it as an argument.<\/td><\/tr>
            51<\/td>START_PROCESS<\/td>Initiates a process that is passed to it as an argument.<\/td><\/tr>
            52<\/td>SUSPEND_PROCESS<\/td>Suspends a process that is presented to it as an argument.<\/td><\/tr>
            53<\/td>RESUME_PROCESS<\/td>Restarts a process passed to it as an argument.<\/td><\/tr>
            54<\/td>PROC_RESULT<\/td>*Not implemented*<\/td><\/tr>
            64<\/td>GET_DRIVES<\/td>List the information of the identified units or devices connected to the infected computer.<\/td><\/tr>
            65<\/td>DRIVES_LIST<\/td>*Not implemented*<\/td><\/tr>
            66<\/td>GET_FILES<\/td>List the information of the identified units or devices connected to the infected computer.<\/td><\/tr>
            67<\/td>FILE_LIST<\/td>*Not implemented*<\/td><\/tr>
            68-79<\/td>FILE_[subcommand]<\/td>These commands perform file manipulation on the infected computer’s file system, as well as downloading more artifacts and moving them to new locations; for example, FILE_ADD_STARTUP places a file passed to it as a parameter in the startup directory.<\/td><\/tr>
            80<\/td>GET_SYSINFO<\/td>Send the information about the infected computer to the C2 server.<\/td><\/tr>
            81<\/td>SYSINFO_DATA<\/td>It obtains general information about the infected system, including hostname, IP address, operating system, active user, number of processors, RAM, and more.<\/td><\/tr>
            82<\/td>FP_COLLECT<\/td>It obtains the most detailed information from the infected system, including data from the screen, CPU, GPU, RAM, free and occupied storage memory, time zone, and language, among others.<\/td><\/tr>
            83<\/td>FP_DATA<\/td>*Not implemented*<\/td><\/tr>
            90-95<\/td>NETMON_[subcommand]<\/td>These commands allow the NetworkMonitor tool to be used on the infected computer, utilizing its functions and manipulating the created process, primarily to prevent the monitoring and analysis of the malware.<\/td><\/tr>
            96-98<\/td>KEYLOG_[subcommand]<\/td>These commands allow the use of the Trojan’s keylogger module, which sends data simultaneously, for example, KEYLOG_START, which starts capturing the keys.<\/td><\/tr>
            99-104<\/td>OFFKL_[subcommand]<\/td>These commands allow the Trojan’s keylogger module to be used offline, which writes the data to a file, for example, OFFKL_, which starts capturing the keys.<\/td><\/tr>
            112<\/td>GET_PASSWORDS<\/td>It generates a string with multiple credentials obtained from the infected computer concatenated, among the types of credentials are stored in browsers of the different user profiles, WiFi credentials stored on the computer, banking data such as cards, IBANs, and accounts, access tokens, among others.<\/td><\/tr>
            113<\/td>PASSWORD_DATA<\/td>*Not implemented*<\/td><\/tr>
            128-135<\/td>REG_[subcommand]<\/td>These commands allow the manipulation of records on the infected computer, for example, the REG_DELETE_KEY command, which deletes the registry key passed to it as a parameter.<\/td><\/tr>
            144-147<\/td>STARTUP_[subcommand]<\/td>These commands allow the manipulation of the artifacts found in the infected computer’s home directory; for example, STARTUP_LIST lists the artifacts in this directory.<\/td><\/tr>
            160<\/td>GET_CONNECTIONS<\/td>Send the connections found in the infected computer to the C2 server.<\/td><\/tr>
            161<\/td>CONNECTIONS_LIST<\/td>*Not implemented*<\/td><\/tr>
            162-174<\/td>EF_[subcommands]<\/td>These commands allow the manipulation of certain devices on the infected computer, such as the monitor, mouse, and some input devices, as well as the taskbar. An example is the command EF_MONITOR_ON, which turns on the computer’s monitor.<\/td><\/tr>
            176<\/td>EXEC_PS<\/td>Execute the PowerShell command or script passed as an argument.<\/td><\/tr>
            177<\/td>EXEC_CMD<\/td>Executes the command in the Windows command line that is passed to it as an argument.<\/td><\/tr>
            178<\/td>EXEC_RESULT<\/td>*Not implemented*<\/td><\/tr>
            179<\/td>SHOW_MSGBOX<\/td>Displays an alert window in the Windows interface with a message passed to it as an argument.<\/td><\/tr>
            180<\/td>VISIT_WEBSITE<\/td>This command executes code passed to it as an argument; no further functionality is known.<\/td><\/tr>
            181<\/td>GET_CLIPBOARD<\/td>Send the content of the clipboard to server C2.<\/td><\/tr>
            182<\/td>CLIPBOARD_DATA<\/td>It retrieves the content found on the clipboard.<\/td><\/tr>
            183<\/td>ACTIVE_WINDOW<\/td>It obtains the active window on the infected computer.<\/td><\/tr>
            184<\/td>DO_SHUTDOWN<\/td>Turn off the infected computer.<\/td><\/tr>
            185<\/td>DO_RESTART<\/td>*Not implemented*<\/td><\/tr>
            186<\/td>DO_STANDBY<\/td>*Not implemented*<\/td><\/tr>
            187<\/td>DO_LOGOFF<\/td>*Not implemented*<\/td><\/tr>
            208-211<\/td>CLIENT_[subcommand]<\/td>These commands allow manipulation of the connection session between the infected computer and the C2 server, for example, the CLIENT_DISCONNECT command that disconnects the session.<\/td><\/tr>
            212<\/td>REMOTE_EXEC_URL<\/td>Downloads and executes a file from a URL passed as an argument.<\/td><\/tr>
            224<\/td>GET_SCREENSHOT<\/td>Send a screenshot of the infected computer to the C2 server.<\/td><\/tr>
            225<\/td>SCREENSHOT_DATA<\/td>*Not implemented*<\/td><\/tr>
            245-250<\/td>WM_[subcommands]<\/td>These commands allow the manipulation of windows on the infected computer, for example, the WM_GET_WINDOWS command that sends all active windows on the infected computer to the C2 server.<\/td><\/tr>
            226-231<\/td>RPROXY_[subcommand]<\/td>These commands enable the operation of the RPOXY module, which corresponds to a reverse proxy, to allow the connection of another remote computer.<\/td><\/tr>
            235<\/td>BOOTKILL_CUSTOM<\/td>It terminates all processes that have in their name the string passed to it as an argument.<\/td><\/tr>
            236<\/td>EXCL_RUN<\/td>Executes code passed to it as an argument, adding the EXCL tag.<\/td><\/tr>
            237<\/td>EXCL_RESULT<\/td>*Not implemented*<\/td><\/tr>
            238<\/td>UAC_RUN<\/td>Executes code passed to it as a parameter, adding the UAC tag. Possibly related to UAC bypass capabilities.<\/td><\/tr>
            239<\/td>UAC_RESULT<\/td>*Not implemented*<\/td><\/tr>
            240-244<\/td>DL_[ subcommand]<\/td>These commands are related to the downloading and execution of artifacts sent from the C2 server.<\/td><\/tr>
            251<\/td>AV_INFO<\/td>It retrieves the security or antivirus tools installed on the infected computer.<\/td><\/tr>
            252<\/td>VBS_EXEC<\/td>It allows running a VBS script on the infected computer.<\/td><\/tr>
            253<\/td>GET_COOKIES<\/td>Sends the information obtained from the cookies of the infected computer.<\/td><\/tr>
            254<\/td>COOKIES_DATA<\/td>It obtains cookies from all browsers on the computer.<\/td><\/tr><\/tbody><\/table>
            Table 1. Commands for the operation of Blue Gryphus RAT<\/em><\/figcaption><\/figure>\n\n\n\n

            Banking Trojan capabilities<\/strong><\/h4>\n\n\n\n

            The Trojan has a module that, during constant monitoring of the infected machine, aims to monitor the titles of windows opened by users. It searches for strings related to banks, primarily from their website names or bank names, and sends this information to the operator. The operator also initiates the process by sending the command KL_BANK_IMAGES (value 13), which downloads and stores a ZIP file containing bank-related images in a folder named \u201cnxkl_[random characters]\u201d created in %TEMP%.<\/em> These images will be used later.<\/p>\n\n\n\n

            At this point, if the operator identifies a window title from one of its target banks (unknown during the analysis) as belonging to a specific bank, it initiates the following tasks, in no particular order:<\/p>\n\n\n\n

              \n
            • The operator can send the KL_START_WAIT command (14), which displays a fake “Loading, please wait…” screen using a specific image associated with a bank, taken from the folder generated in the previous step. It also blocks user interaction and hides the cursor. This option can be continuously activated while the user interacts with the banking website.<\/li>\n<\/ul>\n\n\n\n
                \n
              • The operator can send the KL_SEND_CROP command (25), which displays a fake fullscreen overlay simulating part of the banking website with holes in specific areas of the screen to allow the victim to interact with real or simulated fields, such as entering their name, a password, and the transfer amount.<\/li>\n<\/ul>\n\n\n\n
                  \n
                • The operator can send the command that is the counterpart to the previous ones, responsible for removing the data capture openings, restoring a “Please Wait” screen, blocking user input interaction, and hiding their cursor.<\/li>\n<\/ul>\n\n\n\n
                    \n
                  • Upon completion of the bank data capture, at the operators’ request, this data is sent to the C2 server along with all the information the user previously entered (credentials, accounts, transactions, and other banking details). After sending this capture, it removes any distracting overlay screens that may remain active and unlock the input fields.<\/li>\n<\/ul>\n\n\n\n
                    \"\"
                    Figure 16. Segment of a function related to the banking trojan module<\/figcaption><\/figure>\n\n\n\n

                    It’s important to note that the banking module’s functionality could only be observed through static analysis, as it requires operator interaction to run. Therefore, at the time of writing this blog post, we don’t know which banks are targeted or what type of bank images are displayed.<\/p>\n\n\n\n

                    ATTACK FLOW SUMMARY<\/h2>\n\n\n\n
                      \n
                    • We hypothesized, with a high level of confidence, that the distribution method is through phishing emails that use a supposed court notification or Windows update as a pretext.<\/li>\n<\/ul>\n\n\n\n
                        \n
                      • The email contains a compressed file with JavaScript or VBS dropper and PowerShell scripts.<\/li>\n<\/ul>\n\n\n\n
                          \n
                        • If the user decompresses the downloaded file and runs the dropper, it initiates the infection chain that results in the download and installation of Blue Gryphus RAT<\/em>.<\/li>\n<\/ul>\n\n\n\n
                            \n
                          • Once executed, Blue Gryphus RAT<\/em> starts from its Main()<\/strong> function in two stages:\n
                              \n
                            • The first stage focuses on preparing the computer for infection, adapting its graphical parameters to those of the infected machine, configuring the command and control (C2) server, generating a mutex and infection directories, as well as establishing persistence, evading Windows Defender, and bypassing User Account Control (UAC).<\/li>\n\n\n\n
                            • The second stage begins with a permanent cycle that keeps the Trojan process running with open connections so that operators can remotely access the infected computer and thus perform malicious actions and data theft.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n

                              ATTACK FLOW DIAGRAM<\/h2>\n\n\n\n
                              \"\"
                              Figure 17. Diagram of the attack flow for this campaign<\/figcaption><\/figure>\n\n\n\n

                              MITRE ATT&CK\u00ae framework TTPs observed<\/h3>\n\n\n\n
                              \"\"
                              Table 2. TTPs observed aligned to the MITRE ATT&CK\u00ae framework<\/figcaption><\/figure>\n\n\n\n

                              CONCLUSION<\/h2>\n\n\n\n

                              Banking Trojans continue to be one of the main threats in Latin America, affecting users of various financial institutions. This, coupled with browser data theft, credential theft, and remote access to infected computers, makes Blue Gryphus RAT a more sophisticated threat that should not be considered merely a stealer or a conventional banking Trojan, but rather a modular tool with post-exploitation functionalities that considerably expand the scope of its impact on users and organizations.<\/p>\n\n\n\n

                              One of its main characteristics is the acquisition of credentials, financial data, and sensitive information stored in Chromium-based browsers, using specialized mechanisms capable of extracting information protected by the browser’s own encryption systems; the implementation of a custom communication protocol (NetProtocol48) for exchanging information with the C2 server; and, additionally, the use of window overlay techniques on legitimate applications or websites.<\/p>\n\n\n\n

                              It is important to highlight that, although campaigns originating in Colombia have been discovered and multiple samples of this Trojan have been identified, containing Spanish words in both their content and infrastructure, the possibility of a more widespread operation cannot be ruled out. This is because, according to telemetry data from malware databases consulted in this investigation, several samples are being uploaded from countries such as the United States and Germany.<\/p>\n\n\n\n

                              Finally, it is worth mentioning that the versions found contain some incomplete code, suggesting that this Trojan may still be under development. Therefore, SCILabs considers it essential to maintain constant monitoring of Blue Gryphus RAT and its evolution. Furthermore, SCILabs recommends that organizations stay updated with the latest information, TTPs, changes in the attack flow, and new versions to strengthen their detection and response capabilities.<\/p>\n\n\n\n

                              Based on the investigation, SCILabs makes the following recommendations:<\/p>\n\n\n\n

                                \n
                              • Block the Indicators of Compromise (IoCs) mentioned in this document.<\/li>\n\n\n\n
                              • Conduct awareness campaigns about the techniques used by this threat actor to distribute its campaigns.<\/li>\n\n\n\n
                              • For phishing emails, the following is recommended:<\/li>\n\n\n\n
                              • Avoid opening emails from unknown senders.<\/li>\n\n\n\n
                              • Avoid clicking on suspicious links.<\/li>\n\n\n\n
                              • Avoid opening or downloading suspicious files.<\/li>\n\n\n\n
                              • Keep the operating systems and software of all devices on your network up to date.<\/li>\n\n\n\n
                              • Implement proper policies for creating and using passwords.<\/li>\n\n\n\n
                              • Avoid storing credentials and other data in browsers; instead, use a password manager.<\/li>\n\n\n\n
                              • Avoid storing bank card or payment method information in browsers.<\/li>\n\n\n\n
                              • Enable multi-factor authentication (MFA) on critical services, especially email, online banking, VPNs, and corporate platforms.<\/li>\n\n\n\n
                              • Investigate information leaks, including breaches of credentials and data related to your organization, using intelligence services.<\/li>\n\n\n\n
                              • Ensure proper implementation of In-Depth Security across all of the organization’s systems.<\/li>\n\n\n\n
                              • Perform threat hunting for suspicious shortcuts, primarily in the Windows Start Menu directory, typically located at C:\\Users[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup.<\/li>\n\n\n\n
                              • Perform threat hunting in the Windows Registry, searching for applications that run when the operating system starts, in the path Computer\\HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion.<\/li>\n\n\n\n
                              • Perform threat hunting in Windows scheduled tasks, primarily looking for tasks with suspicious names such as “WindowsUpdate”.<\/li>\n\n\n\n
                              • Perform threat hunting for suspicious files with names containing the strings \u201cWindowsUpdate\u201d, \u201cNOTIFICACION JUDICIAL\u201d, \u201cnxkl_\u201d, \u201cuac_\u201d, \u201cex_\u201d, \u201cAMARRE\u201d, \u201cSostener\u201d, \u201cENV\u00cdO\u201d, \u201cnuevorat\u201d, \u201cmisarchivos\u201d, \u201cDios\u201d, among others.<\/li>\n\n\n\n
                              • Audit and monitor the PowerShell command execution history using \u201cAdd-MpPreference\u201d, \u201cSet-MpPreference\u201d, \u201cRemove-MpPreference\u201d and the options \u201c-ExclusionPath\u201d, \u201c-ExclusionProcess\u201d, and \u201c-ExclusionExtension\u201d, primarily related to Windows Defender.<\/li>\n\n\n\n
                              • Perform threat hunting for potential infections from other types of malware such as infostealers, banking trojans, RATs, and others.<\/li>\n\n\n\n
                              • Perform threat hunting for suspicious artifacts, primarily in the following paths:\n
                                  \n
                                • %LOCALAPPDATA%<\/li>\n\n\n\n
                                • %APPDATA%<\/li>\n\n\n\n
                                • %PROGRAMDATA%<\/li>\n\n\n\n
                                • %TEMP%<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                                • Pay attention to browsing delays and malfunctions of input devices (mouse, keyboard, screen, etc.), because these can indicate infection and that operators are accessing the device.<\/li>\n\n\n\n
                                • Pay attention to suspicious alerts, update screens, or waiting periods on login sites requiring credentials, as well as pop-up windows, as these can indicate infection and data theft.<\/li>\n\n\n\n
                                • If they are not essential for the organization\u2019s operations, block free DNS services such as no-ip[.]com, chickenkiller[.]com, linkpc[.]net, duckdns[.]org, and ddns[.]net, and assess the impact of doing so, as these services are commonly used by samples of this Trojan and in some Red Akodon campaigns as command-and-control servers.<\/li>\n<\/ul>\n\n\n\n

                                  INDICATORS OF COMPROMISE<\/h2>\n\n\n\n

                                  Hashes SHA256<\/strong><\/strong><\/p>\n\n\n\n

                                  B6A29EE040D6DCBB9168C19299B4B1578A58DDA1E2CB329F24B65DD7A94E027D<\/p>\n\n\n\n

                                  7BC08C502BF4EBB8C4DE8549D104453AE05611D0B718A8F10943A6D437366D56<\/p>\n\n\n\n

                                  1D22B11BCB30BBCE65381B37FCF5F6981461E322AAF7564C988A638C0F245345<\/p>\n\n\n\n

                                  BB376EC395F0FE93F9584C4AC64FF61EE2A9445BEF388DB33443DCFCED51C427<\/p>\n\n\n\n

                                  3235CEF4287DC15B2594C0EED9A8B365CDA84B95B7B9F47D2088051201946781<\/p>\n\n\n\n

                                  3B2ED138AF180F0DB7DF13F87B2C11B518E03443C5775A0ACD8CB136DB53B783<\/p>\n\n\n\n

                                  F831B4A858DB6BDF617DF94B19B7C220D22C163AF205C54F7573B22DC50DC419<\/p>\n\n\n\n

                                  8C62E07127517702418EC089AC499E0A5E40A8DF12353BBE6B3CD43B2C6AEE49<\/p>\n\n\n\n

                                  5C4EB0008AC44373BC3C2B7815C162F6DAAF9A5A0664CA748B3D32A79DB83976<\/p>\n\n\n\n

                                  E03214F834920E19DA0FE878F4407ACB24B4BA920FC968289CE4307C9E8C43AE<\/p>\n\n\n\n

                                  0506B8A5AE38D6C81E5E31D7F6AD53F2F7DE3DE2C4FE2646650DD21E15623040<\/p>\n\n\n\n

                                  00A3C25D970817FD42BE16B64D5970B64CE8C6B0784288823C2C080743D7F616<\/p>\n\n\n\n

                                  D7CD9E7D257CA4180C1D33F3BCBF4D3DF4388E6AFE1618F09388641EC2F8ED9E<\/p>\n\n\n\n

                                  0470B87CC37D1013FC30244FB6476192B804F93DB95D8F3A3ECE5BC1961A2475<\/p>\n\n\n\n

                                  5BBEC5815AFF6B60E910363FE8A71F0DF9349BF9EB506B3722D0B87396CA467D<\/p>\n\n\n\n

                                  0506B8A5AE38D6C81E5E31D7F6AD53F2F7DE3DE2C4FE2646650DD21E15623040<\/p>\n\n\n\n

                                  8A45012566572F9CB7E9FD7F0C60B246D057222F5ADA1E5E194C3E5A01CA1045<\/p>\n\n\n\n

                                  C2<\/strong><\/p>\n\n\n\n

                                  respaldonw8152[.]com<\/p>\n\n\n\n

                                  amarre2026[.]com<\/p>\n\n\n\n

                                  <\/p>\n\n\n\n

                                  <\/p>\n","protected":false},"excerpt":{"rendered":"

                                  OVERVIEW The purpose of this blog is to provide information about a new Remote Access Trojan (RAT), with banking Trojan<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,35,4],"tags":[9,14,15],"class_list":["post-1567","post","type-post","status-publish","format-standard","hentry","category-campaign","category-discoveries","category-malware","tag-banking-trojan","tag-latam","tag-malware"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1567","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=1567"}],"version-history":[{"count":13,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1567\/revisions"}],"predecessor-version":[{"id":1601,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1567\/revisions\/1601"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=1567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=1567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=1567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}