{
	"id": "491bdd4b-6867-4a41-9b4a-2d80142bc3f6",
	"created_at": "2026-04-06T00:07:22.327089Z",
	"updated_at": "2026-04-10T03:21:44.217087Z",
	"deleted_at": null,
	"sha1_hash": "4665efcf01c2d5569bd10818725691e2bcab370e",
	"title": "The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 12156548,
	"plain_text": "The hidden C2: Lampion trojan release 212 is on the rise and using\r\na C2 server for two years\r\nBy Pierluigi Paganini\r\nPublished: 2022-03-13 · Archived: 2026-04-05 17:48:28 UTC\r\nThe hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for\r\ntwo years.\r\nLampion trojan is one of the most active banking trojans impacting Portuguese Internet end users since 2019. This\r\npiece of malware is known for the usage of the Portuguese Government Finance \u0026 Tax (Autoridade Tributária e\r\nAduaneira) email templates to lure victims to install the malicious loader (a VBS file). However, fake templates of\r\nbanking organizations in Portugal have been used by criminals to disseminate the threat in the wild, as observed in\r\nFigure 1 below with a malicious PDF (151724540334 Pedidos.pdf).\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 1 of 18\n\nFigure 1: Emails templates are delivering malicious PDFs impersonating banking organizations in Portugal to\r\nspread Lampion trojan.\r\nThe malware TTP and their capabilities remain the same observed in 2019, but the trojan loader – the VBS files –\r\npropagated along with the new campaign has significant differences. Also, the C2 server is the same noticed on\r\nthe past campaigns since 2020, suggesting, thus, that criminals are using the same server geolocated in Russia for\r\ntwo years to orchestrate all the malicious operations.\r\nFUD capabilities of the Lampions’ VBS loader\r\nFilename: Comprovativo de pagamento_2866-XRNM_15-02-2022 06-43-54_28.vbs\r\nMD5: 2e295f9e683296d8d6b627a88ea34583\r\nAs expected, the Lampions’  VBS loader has been changed in the last years, and its modus operandi is similar to\r\nother Brazilian trojans, such as Maxtrilha, URSA, Grandoreiro, and so on. In detail, criminals are enlarging the\r\nfile size around 56 MB of junk to bypass its detection in contrast to the samples from 2019 with just 13.20 KB.\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 2 of 18\n\nFigure 2: Lampions’ VBS loader file enlarge technique to bypass its detection.\r\nThe VBS file contains a lot of junk sequences, and after some rounds of code cleaning and deobfuscation, 31.7\r\nMB of useless lines of code were removed.\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 3 of 18\n\nFigure 3: Lampions’ VBS loader size before and after removing the junk sequences.\r\nThe final file after the cleaning process has around 24.7 MB, and it is responsible for creating other files,\r\nincluding:\r\na 2nd VBS file with a random name (2nd_stage_vbs) that will download the Lampions’ final stage – two\r\nDLLs from AWS S3 buckets\r\nother VBS file that will execute the previous file by using a scheduled task also created by the 1st VBS\r\nloader.\r\nThe next figure presents the structure of the Lampions’ VBS loader after the cleaning and deobfuscation process.\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 4 of 18\n\nFigure 4: Lampion’s VBS loader after some rounds of deobfuscation.\r\nAs mentioned,  the 1st stage (Comprovativo de pagamento_2866-XRNM_15-02-2022 06-43-54_28.vbs) creates a\r\nnew VBS file (2nd_stage_vbs) inside the %AppData%\\Local\\Temp folder with a random name (sznyetzkkg.vbs).\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 5 of 18\n\nAlso, another VBS (jghfszcekwr.vbs) is created with code responsible for executing the previous VBS file\r\n(sznyetzkkg.vbs) via a scheduled task.\r\nA scheduled task is created with the service description and author Administrator user associated. This scheduled\r\ntask will execute the second VBS file jghfszcekwr.vbs that contains instructions to finally run\r\nthe sznyetzkkg.vbs file (the 2nd VBS stage).\r\nFigure 5: Creation of the 2nd VBS file and the auxiliary VBS file. Also, the scheduled task responsible for creating\r\nthe auxiliary VBS file is shown.\r\nAfter running the initial VBS file, the two additional VBS files are finally prepared to be triggered. That task is\r\nthen performed by the scheduled task as presented in Figure 6. The source code of the jghfszcekwr.vbs file is quite\r\nsimple and just executes the 2nd VBS file (sznyetzkkg.vbs). We believe this is just a procedure to make hard the\r\nmalware analysis as well as difficult its detection – something we confirmed during the analysis, as the AVs don’t\r\ndetect properly those files during the malware infection chain.\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 6 of 18\n\nFigure 6: Schedule task (1) responsible for executing an auxiliary VBS (2) file which in turn runs the second VBS\r\nstage.\r\nAfter that, the VBS file dubbed sznyetzkkg.vbs is executed. All the steps highlighted in Figure 7 are typically\r\nknown from the last Lampions campaigns. This VBS file is quite similar to their predecessors, and it performs\r\nsome tasks:\r\nDeletes all the files from the startup folder with the following extension: lnk, vbs, cmd, exe, bat and js.\r\nDecrypts the URLs containing the final stage of Lampion trojan.\r\nCreates a .cmd file into the Windows startup folder to maintain persistence.\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 7 of 18\n\nFigure 7:  Source-code of the 2nd VBS file and the encrypted URLs that will download the last stage of the\r\nLampion trojan banker.\r\nFrom this point, the modus operandi and TTP are the same observed since 2019. The clear sign is the same\r\nalgorithm used in 2019 to decrypt the hardcoded strings with the malicious URLs was used. The script can be\r\ndownloaded from GitHub here.\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 8 of 18\n\nFigure 8: Lampion trojan VBS decryptor.\r\nAfter running the script, we obtained the malicious URLs that download the next stage of Lampion trojan. Once\r\nagain, the AWS S3 buckets were the criminals’ choice, as observed in the last releases of this malware.\r\nThe first DLL (the trojan loader) is a point of interest in this analysis. This file was also enlarged with lots of\r\nrandom BMP images inside – a well-known technique that is being used by Latin American gangs in their\r\nmalware. This is a clear sign of cooperation between the several groups.\r\nThe P-17-4 DLL is then renamed when downloaded and injected into the memory via the DLL injection\r\ntechnique. The EAT function “mJ8Lf9v0GZnptOVNB2I” is triggered to start the DLL\r\nloader.C:\\Windows\\System32\\rundll32.dll\\”%AppData%\\Local\\Temp\\rand_folder\\random_name.dll”\r\nmJ8Lf9v0GZnptOVNB2I\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 9 of 18\n\nFigure 9: Lampion DLLs – release 212 (February 2022).\r\nThe main goal of the DLL loader is just to unzip the 2nd DLL called “soprateste.zip” which is protected with a\r\nhardcoded password. All the process from this point is the same  as the last articles we have published, namely:\r\nTargeting Portugal: A new trojan ‘Lampion’ has spread using template emails from the Portuguese\r\nGovernment Finance \u0026 Tax – DECEMBER 2019\r\nLampion malware origin servers geolocated in Turkey, FEBRUARY 2020\r\nLampion malware v2 February 2020, FEBRUARY 2020\r\nNew release of Lampion trojan spreads in Portugal with some improvements on the VBS\r\ndownloader, JULY 2020\r\nLampion trojan disseminated in Portugal using COVID-19 template, FEBRUARY 2021\r\nDetails of the Lampion release 212\r\nThe single task of the first DLL is just to unzip the 2nd one with a hardcoded password. As usual, the DLL\r\ninside soprateste.zip carries a message in Chinese for researchers:\r\nFigure 10: Message hardcoded inside the soprateste.zip DLL (the Lampion itself) and part of the unzip process.\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 10 of 18\n\nAs usual, the trojan maintains intact its EAT since 2019. The call “DoThisBicht” is invoked from the DLL loader,\r\nand the malware starts its malicious activity. Figure 11 below shows the comparison of the EAT between the\r\ndifferent versions from 2019 to 2022, and no differences were noticed.\r\nFigure 11: Export Address Table (EAT) from the DLL inside the soprateste.zip file (the Lampion trojan itself).\r\nThe target brands are the same observed in the past campaigns, with the focus on Brazilian and Portuguese\r\nbanking organizations.\r\n0x5106a0c (28): banco montepio\r\n0x5106a38 (16): montepio\r\n0x5106a6c (26): millenniumbcp\r\n0x5106aa8 (18): Santander\r\n0x5106ac8 (14): BPI Net\r\n0x5106ae4 (18): Banco BPI\r\n0x5106b18 (24): Caixadirecta\r\n0x5106b40 (42): Caixadirecta Empresas\r\n0x5106b8c (20): NOVO BANCO\r\n0x5106bc4 (14): EuroBic\r\n0x5106bfa (16): Credito Agricola\r\n0x5106c24 (20): Login Page\r\n0x5106c48 (22): CA Empresas\r\n0x5106c80 (18): Bankinter\r\n0x5106cb4 (20): ActivoBank\r\n0x5107118 (36): itauaplicativo.exe\r\n0x5109568 (14): TravaBB\r\n0x5109586 (32): Banco do Brasil\r\n0x51095b4 (16): Traazure\r\n0x51095d6 (32): Caixa Economica\r\n0x5109604 (20): Travsantos\r\n0x510962a (20): Santander\r\n0x510964c (14): Travsic\r\n0x510966a (14): Sicred\r\n0x5109688 (14): Travite\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 11 of 18\n\n0x51096c0 (18): Travdesco\r\n0x51096e2 (18): Bradesco\r\n0x5109704 (22): BANRITRAVAR\r\n0x510972a (18): Banrisul\r\n0x510974c (20): TravaBitco\r\n0x5109772 (32): Mercado Bitcoin\r\n0x51097a0 (14): Travcit\r\n0x51097be (18): Citibank\r\n0x51097e0 (18): Travorigs\r\n0x5109802 (30): Banco Original\r\n0x5109830 (18): SICTRAVAR\r\n0x5109852 (14): Sicoob\r\nWhen started, the trojan collects information about the opened processes on the target machine. If the title of the\r\npages matches the hardcoded strings presented above, then it starts the malicious overlay process that presents\r\nfake messages and windows impersonating the target bank to lure the victims.\r\nFigure 12: Lampion overlay screens (courtesy of MllenniumBCP – Portugal).\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 12 of 18\n\nFigure 13: Part of the hardcoded messages present on the Delphi forms that are exhibited during the trojan\r\nexecution.\r\nAs mentioned, Lampion is using the same C2 server geolocated in Russia at least for two years. Figure 14\r\ncompares the Lampion release 207 – from 2020 – and the new release 212 – February 2022. As presented, the\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 13 of 18\n\nserver “5.188.9.28” has been used at least since 2020 by the criminals’ gang in order to orchestrate all the\r\noperations.\r\nFigure 14: Lampion is using the same C2 server observed in 2020 and gelocated in Russia.\r\nInterestingly, the C2 server – a Windows machine – has the Microsoft RPC Endpoint Mapper service exposed,\r\nwhich allows mapping some of the services running on the machine, associated pipes, hostname, etc.\r\nThrough this information, it was possible to obtain the hostname of the remote machine: \\WIN-344VU98D3RU.\r\nAfter a quick search, the hostname seems to have already been associated with other malicious groups operating\r\ndifferent types of malware, such as the bazaar (see the article here), and also LockBit 2.0 ransomware (take a\r\nlook here).\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 14 of 18\n\nFigure 15: IoCs related to the hostname used by Lampions C2 server (\\WIN-344VU98D3RU).\r\nAlthough it is not possible to confirm whether this is a hostname associated with other Cloud machines and used\r\nby legitimate systems, it was possible to identify that there are machines spread all over the world with the same\r\nhostname, and in some situations, only a few machines available per country.\r\nIn total, 81.503 machines were identified, with around 45k in The Netherlands, 25k in Russia, 2.5k Turkey, 2K\r\nUkraine, 1.5k in US, etc.\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 15 of 18\n\nThe complete list of hosts can be found below.\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 16 of 18\n\nFinal Thoughts\r\nNowadays, we are facing a growing of Brazilian trojans at a very high speed. Each one of them with its\r\npeculiarities, TTPs, etc. With this in mind, criminals achieve a FUD condition that allows them to avoid detection\r\nand impact a large number of users around the world.\r\nIn this sense, monitoring these types of IoCs is a crucial point now, as it is expected that in the coming weeks or\r\nmonths new infections or waves can emerge.\r\nMitre Att\u0026ck Matrix and Indicators of Compromise (IOCs) are available in the original post published by the\r\ncybersecurity researchers Pedro Tavares:\r\nhttps://seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years/#.Yi32dnrMK5d\r\nAbout the author  Pedro Tavares:\r\nPedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst\r\nand also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the\r\nsecurity computer blog seguranca–informatica.pt.\r\nFollow me on Twitter: @securityaffairs and Facebook\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 17 of 18\n\n(SecurityAffairs – hacking, Lampion trojan)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nhttps://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html\r\nPage 18 of 18\n\nAs expected, other Brazilian the Lampions’ VBS trojans, such as Maxtrilha, loader has been URSA, changed in the Grandoreiro, last years, and its modus and so on. In detail, criminals operandi is similar are enlarging to the\nfile size around 56 MB of junk to bypass its detection in contrast to the samples from 2019 with just 13.20 KB.\n   Page 2 of 18   \n\nexecution. As mentioned, Lampion is using the same C2 server geolocated in Russia at least for two years. Figure 14\ncompares the Lampion release 207-from 2020 -and the new release 212-February 2022. As presented, the\n   Page 13 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html"
	],
	"report_names": [
		"hidden-c2-lampion-trojan-release-212.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434042,
	"ts_updated_at": 1775791304,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4665efcf01c2d5569bd10818725691e2bcab370e.pdf",
		"text": "https://archive.orkl.eu/4665efcf01c2d5569bd10818725691e2bcab370e.txt",
		"img": "https://archive.orkl.eu/4665efcf01c2d5569bd10818725691e2bcab370e.jpg"
	}
}