{
	"id": "65346631-ca36-44b3-ac9a-0784362d59c2",
	"created_at": "2026-04-06T00:20:14.278587Z",
	"updated_at": "2026-04-10T03:23:51.020472Z",
	"deleted_at": null,
	"sha1_hash": "65292bc0a3bdf469c7815852039eef4c5d11f4a6",
	"title": "Banking Trojans Mekotio Looks to Expand Targets, BBTok Abuses Utility Command",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3941722,
	"plain_text": "Banking Trojans Mekotio Looks to Expand Targets, BBTok Abuses\r\nUtility Command\r\nPublished: 2024-09-05 · Archived: 2026-04-05 13:45:29 UTC\r\nPhishing\r\nNotorious Mekotio and BBTok are having a resurgence targeting Latin American users. Mekotio’s latest variant\r\nsuggests the gang behind it is broadening their target, while BBTok is seen abusing MSBuild.exe to evade\r\ndetection.\r\nBy: Mhica Romero, Joshua Aquino, Janus Agcaoili, Christian Jason Geollegue, Allen Benedict Magpoc, Mark\r\nJason Co, Kim Benedict Victorio, Adriel Isidro, Raymond Joseph Alfonso Sep 05, 2024 Read time: 7 min (1853\r\nwords)\r\nOverview:\r\nThe Latin Americas are seeing a rise in phishing scams that drop banking Trojans such as notorious\r\nMekotio, BBTok, and Grandoreiro\r\nCybercriminals behind these known banking Trojans are using judicial-related phishing emails apart from\r\nthe tried and tested business lures to target victims.\r\nOur investigation of Mekotio suggests that cybercriminals are likely to expand their targets beyond the\r\nLatin Americas\r\nOur monitoring has revealed an alarming rise in increasingly sophisticated phishing attacks to compromise\r\nfinancial systems across the Latin American region. Banking Trojans including notorious BBTok, Mekotio, and\r\nGrandoreiro resurgence to pilfer sensitive banking credentials and carry out unauthorized transactions. In this blog\r\nwe discuss the evolving phishing tactics Mekotio and BBTok use, with an analysis on how their latest campaigns\r\noperate.\r\nEvolving lures\r\nWe observed the Latin Americas experiencing a rise in phishing scams that employ two types of lures: business\r\ntransactions and judicial-related transactions.\r\nBusiness transaction phishing scams, as the name suggests, exploit the trust associated with professional\r\ncommunications by pretending to be one. Tried and tested tactics continue to be effective: embedded links in\r\nemails lead to fake business websites where users are prompted to download malware. Baking trojans in malicious\r\nPDF and ZIP files downloaded onto target machines also continues to be an effective way to infect victims. \r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 1 of 13\n\nFigure 1. A Mekotio phishing email with an embedded link\r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 2 of 13\n\nFigure 2. A Mekotio phishing email with malicious file attachments\r\nMeanwhile, cybercriminals are also luring victims with phishing scams that claim they have traffic violations;\r\nthese exploit fear and urgency attached to official legal notifications. Cybercriminals mimic legitimate\r\ncommunications from law enforcement alerting victims of fake speeding tickets or other criminal complaints that\r\nprompt them to act and click on links without caution. These phishing scams often contain links that lead to\r\ncounterfeit websites where victims inadvertently download malware onto their systems. Judicial-related\r\ntransaction lures also use malicious PDF and CIP file attachments that, when downloaded and run, infect a\r\nvictim’s machine.\r\nBoth types of attacks attempt to bypass a user’s usual security precautions by exploiting a false sense of urgency\r\non legal and financial matters that lead them to make quick and damaging decisions. \r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 3 of 13\n\nFigure 3. A sample of a phishing email claiming the victim has an overspeeding ticket and must\r\nsettle accounts with law enforcement\r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 4 of 13\n\nFigure 4. Another phishing email alerting the victim of a criminal complaint filed against them\r\nOur telemetry from August 2024 shows that cybercriminals employing business transaction and traffic violation\r\nphishing scams target manufacturing companies the most, accounting for 26% of the overall attacks we detected.\r\nRetail was also heavily affected, making up 18% of incidents, followed by enterprises in the technology and\r\nfinancial services industries with 16% and 8% of the attacks respectively. These types of phishing attacks are most\r\nlikely to distribute banking Trojans Mekotio, BBTok, and Grandoreiro. In the following section we look closely at\r\nhow Mekotio and BBTok operate to target Latin American victims.\r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 5 of 13\n\nFigure 5. A breakdown of the targeted industries by phishing scams that employ business-related\r\nand judicial-related scam phishing tactics\r\nMekotio and BBTok victimology and new tactics\r\nMekotio and BBTok primarily target the Latin American region. Mekotio, which was first detected back in March\r\n2018 has evolved from focusing on Brazilian users and banks to include other Spanish-speaking countries such as\r\nChile, Mexico, Columbia, and Argentina, as well as parts of Southern Europe, including Spain. Our investigation\r\nalso suggests that cybercriminals behind Mekotio are looking to broaden their victimology geographically.\r\nMeanwhile BBTok, first detected in 2020, narrows its targets down to the Latin American financial sector, but\r\nshares common geographical targets with Mekotio such as Brazil, Chile, Mexico, and Argentina.\r\nMekotio is predominantly delivered through phishing emails with malicious attachments, making it a versatile and\r\npersistent threat in the region. Our investigations reveal that it employes a new technique where the trojan’s\r\nPowerShell script is now obfuscated, enhancing its ability to evade detection.\r\nBBTok on the other hand, is usually distributed through phishing emails with malicious attachments, but recent\r\ncampaigns use phishing links to download ZIP or ISO files containing LNK files that initiate the infection process.\r\nBBTok's advanced capabilities for credential theft and data exfiltration make it a formidable threat in the region.\r\nAnother newly observed technique employed by BBTok sees the DLL payload now embedded directly within the\r\ndownloaded ISO file.\r\nMekotio’s latest variant expands targets geographically\r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 6 of 13\n\nFigure 6. Mekotio’s observed infection chain\r\nWhen a victim clicks a URL in the phishing email it leads to a malicious website specifically crafted to trigger the\r\ndownload of a ZIP file. Inside this ZIP file is an obfuscated batch file designed to evade detection by security tools\r\nand conceal its malicious payload. When the batch file is executed, it launches a PowerShell script that functions\r\nas a second-stage downloader. This script then connects to a secondary URL, enabling further stages of the attack,\r\nsuch as downloading additional malware or exfiltrating sensitive data.\r\nFigure 7. The Mekotio obfuscated batch file\r\nFigure 8. The deobfuscated batch file downloading another component with a Powershell command\r\nThe secondary URL hosts another obfuscated PowerShell script that is designed to adapt its behavior based on the\r\nspecific environment it has infiltrated. Upon execution, this script performs several reconnaissance checks to\r\ngather crucial information about the compromised system: First, it checks the public IP address of the system to\r\nidentify its network location. Next, it leverages geolocation services to determine the country where the device is\r\nlocated.\r\nIt also gathers basic system information, including the computer name and the username of the user who is logged\r\nin to better understand the environment it has compromised. Additionally, the script checks for any installed\r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 7 of 13\n\nantivirus software and determines the operating system version to tailor its subsequent actions and evade\r\ndetection.\r\nFigure 9. Mekotio victim information being gathered\r\nWe have observed that this variant of Mekotio that we investigated has a PowerShell script does not include a\r\ncountry comparison feature, which differs from the behavior seen in previous variants of Mekotio. In earlier\r\nversions, the malware would only proceed with its malicious activities if the compromised system was in one of\r\nthe following countries: Brazil, Chile, Spain, Mexico, or Peru. This new variant, however, appears to have an\r\naltered targeting strategy, potentially broadening its scope by adapting its actions based on a wider range of\r\ngeolocations.\r\nAfter completing the environment checks, the malware proceeds to download another ZIP file containing the final\r\npayload. This ZIP file includes AutoHotKey.exe, an AutoHotKey script, and the Mekotio DLL. These components\r\nare used to execute the final stage of the attack, enabling the malware to perform its intended malicious actions on\r\nthe compromised system. \r\nFigure 10. The generation of the zip file upon download from the server address\r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 8 of 13\n\nFigure 11. The creation of the AutoHotKey.exe, malicious AHK script and the Mekotio DLL from\r\nthe downloaded ZIP file.\r\nTo ensure persistence, an autorun registry entry is also deployed, allowing the malware to automatically execute\r\nupon system startup and maintain a foothold on the infected machine.\r\nFigure 12. Autorun registry created for persistence\r\nBBTok uses legitimate Windows utility command for evasion\r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 9 of 13\n\nFigure 13. BBTok’s observed infection chain\r\nWhen a victim clicks on the malicious link embedded in the phishing email, this triggers the download of an ISO\r\nfile that contains malicious components including a LNK file that, when executed, launches the infection chain,\r\nstarting the deployment of malicious scripts. Simultaneously, a decoy document is opened to divert the victim’s\r\nattention, reducing suspicion and increasing the chances of a successful compromise.\r\nFigure 14. The downloaded malicious ISO file\r\nFigure 15. The ISO file upon extraction\r\nFigure 16. The content of the LNK file masking as PDF file\r\nThe infection chain progresses when the LNK file triggers the execution of MSBuild.exe, which is embedded\r\nwithin the ISO file. MSBuild.exe then loads the contents of a malicious XML file hidden within the ISO archive.\r\nBy using the legitimate Windows utility MSBuild.exe, attackers can execute their malicious code while evading\r\ndetection.\r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 10 of 13\n\nFigure 17. The other files inside the ISO\r\nAfter being loaded by MSBuild.exe, the XML file directs the generation and execution of a malicious DLL file\r\nusing rundll32.exe. This action establishes a connection with the attacker’s Command-and-control (C\u0026C) server,\r\nenabling further control over the compromised system. The XML file also opens a lure file and retrieves the\r\ndirectory of the ZIP file, setting the stage for subsequent actions.\r\nFigure 18. The XML opens the lure file and getting directory of the zip file.\r\nFigure 19. The creation of the directory where the zip file will be copied\r\nThe process involves creating a directory where the ZIP file will be copied, followed by the creation and checking\r\nof a mutex as an infection marker. The ZIP file is then extracted, and modifications are made to the system registry\r\nto ensure the DLL file from the ZIP is executed upon startup, providing persistence for the malware.\r\nFigure 20. The registry modification for execution and persistence of the DLL in the ZIP file\r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 11 of 13\n\nFigure 21. The creation of mutex and checking it as an infection marker\r\nFigure 22. The extracted zip file\r\nFinally, the extracted files, including the malicious BBTok DLL usually named Brammy.dll or Trammy.dll is\r\nexecuted, continuing the attack and deploying additional payloads.\r\nFigure 23. The config file to execute the BBTok DLL\r\nConclusion and recommendations\r\nMore sophisticated phishing scams targeting Latin American users to steal sensitive banking credentials and carry\r\nout unauthorized banking transactions underscores the urgent need for enhanced cybersecurity measures against\r\nincreasingly advanced methods employed by cybercriminals. These trojans grown increasingly adept at evading\r\ndetection and stealing sensitive information while the gangs behind them become bolder in targeting larger groups\r\nfor more profit.\r\nWe recommend enterprises to strengthen their cybersecurity defenses by implementing advanced threat detection\r\nsystems, regularly updating security protocols, and educating employees about recognizing and responding to\r\nphishing attempts. A proactive and zero-trust approach to cybersecurity will help mitigate the risks and safeguard\r\nfinancial systems against these evolving threats.\r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 12 of 13\n\nBy practicing proper security best practices, users can protect themselves from threats that are primarily delivered\r\nvia email. These include the following:\r\nBe skeptical of unsolicited emails; verify the sender’s identity and email address, look for spelling and\r\ngrammar mistakes, and scrutinize subject lines\r\nAvoid clicking on links and downloading attachments contents of which are not verified\r\nHover over links to check URLs and avoid downloading attachments unless absolutely certain of the\r\nsender’s identity\r\nIf you suspect that the email might be malicious, directly contact the sender on a different platform using\r\nknown contact details to verify identity, and compare the email with previous correspondences\r\nUse email filters and anti-spam software\r\nEnsure that spam filters and other security tools are turned on and are up to date\r\nReport phishing attempts to your respective IT and security teams as you encounter them\r\nOrganizations should also educate their employees on phishing and social engineering tactics, as well as\r\nconduct regular phishing awareness trainings\r\nIndicators of Compromise (IoCs)\r\nAs of publishing, all IoCs have been detected and blocked. You can find the list of IoCs here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nhttps://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html"
	],
	"report_names": [
		"banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434814,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/65292bc0a3bdf469c7815852039eef4c5d11f4a6.pdf",
		"text": "https://archive.orkl.eu/65292bc0a3bdf469c7815852039eef4c5d11f4a6.txt",
		"img": "https://archive.orkl.eu/65292bc0a3bdf469c7815852039eef4c5d11f4a6.jpg"
	}
}