{
	"id": "24364b96-e29a-4000-a1c3-e51f430abdf8",
	"created_at": "2026-04-06T00:07:39.713385Z",
	"updated_at": "2026-04-10T03:23:24.430858Z",
	"deleted_at": null,
	"sha1_hash": "6f0cc8e1d9cea06e241b696bd21d7051ef7c6fd0",
	"title": "LeetMX – a Yearlong Cyber-Attack Campaign Against Targets in Latin America – ClearSky Cyber Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79157,
	"plain_text": "LeetMX – a Yearlong Cyber-Attack Campaign Against Targets in\r\nLatin America – ClearSky Cyber Security\r\nPublished: 2017-11-02 · Archived: 2026-04-05 14:35:02 UTC\r\nleetMX is a widespread cyber-attack campaign originating from Mexico and focused on targets in Mexico, El\r\nSalvador, and other countries in Latin America, such as Guatemala, Argentina and Costa Rica. It has been\r\noperating since November 2016 at least. We are uncertain of its objectives but estimate it is  criminally motivated.\r\nleetMX infrastructure includes 27 hosts and domains used for malware delivery or for command and control. \r\nHundreds of malware samples have been used, most are Remote Access Trojans and keyloggers.\r\nInterestingly, the attackers camouflage one of their delivery domains by redirecting visitors to El Universal, a\r\nmajor Mexican newspaper.\r\nTargeting\r\nBelow are samples of malicious Office documents delivered to targets. These documents contain macros that run\r\nPowerShell, which downloads and run various payloads from domains and hosts controlled by the attackers.\r\nMinisterio de Hacienda El Salvador – Declaraciones Pendientes folio 34598.docm\r\n(c624595124a740632c6278a5ddc97880)\r\nMinisterio de Hacienda SV Folio de Aclaracion SVMH2054983.docm\r\n(f5773ad43e0307bef28cb4e57eeb4103)\r\nhttps://www.clearskysec.com/leetmx/\r\nPage 1 of 11\n\nBuro de Credito – Reporte Especial Folio de Operacion 438346982.doc\r\n(2124be2abb952f546275fbc3e0e09f05)\r\nEstimado Cliente.\r\nSu pedido ha sido verificado y aprobado por su banco. Conserve este número de folio para cualquier trámite\r\ncomo Cambios y Cancelaciones B0987525347.\r\nPuede Imprimir este documento para su referencia.\r\nInstitución de Banca Múltiple\r\nSATMX-Folio 46565.xls\r\n(69a779d10672df9a3f8bfd07120bf1c9)\r\nhttps://www.clearskysec.com/leetmx/\r\nPage 2 of 11\n\nServicio de Administracion Tributaria SAT Declaraciones Pendientes Folio de Consulta 45817089.xls\r\n(bc8e5d77e074f7b1fd9f4311395d48a5)\r\nOther documents used as malware droppers are:\r\nburo de credito reporte de movimientos recientes folio de operacion 3590543.doc \r\n(b39076ed23aa7c251aee89701f084117)\r\nburo de credito reporte de movimientos acreditados folio 45665.doc\r\n(783e4c2eeeb69f058b30c5b697bfa6be)\r\nministerio de hacienda el salvador consulta de estado de cuenta moroso folio\r\n(7a769d5e7401a1b858e58fea1144cb6b)\r\nburo de credito reporte de nuevos cargos folio 273534.doc (0b8f4e79df43b951380938bdc380f53a)\r\nBuro de Credito Afilicion de Cargo Automatico Registrado BMX46948964.doc\r\n(8f963a7e26a29b4ba2cae9eb11b137d7)\r\nBuro de Credito Folio de Aprobacion de Nuevos Creditos 593783.xls\r\n(4e12eeb78cebaf091cdf26b46a816931)\r\nhttps://www.clearskysec.com/leetmx/\r\nPage 3 of 11\n\nBuro de Credito – Folio de Afilicion a Cargo Automatico 3274398BMX.doc\r\n(fe6b1f263e10f305af2eba10a8af6ba1)\r\nBuro de Credito – Folio de Afilicion a Cargo Automatico 3274398BMX.doc\r\n(6c5d24a054ab952ea1983e7b663474ce)\r\nBelow is an example of a malicious PowerShell code in one of the documents:\r\nInfrastructure\r\nThe domains and hosts below are all part of the malicious infrastructure, and are used for malware delivery or for\r\ncommand and control.\r\nc0pywins.is-not-certified[.]com\r\ncasillas.hicam[.]net\r\ncasillas45.hopto[.]org\r\ncasillasmx.chickenkiller[.]com\r\ncloudrsaservicesdriveoffic[.]com\r\ncloudsfullversionooficcekey[.]com\r\ndryversdocumentofficescloud[.]com\r\ndryversdocumentsandcustom[.]com\r\ndryversdocumentsandcustomer[.]com\r\ndryversdocumentsandcustoms[.]com\r\ndryversdocumentsandcustomsoft[.]com\r\ndryversdocumentsandfullbmxro[.]com\r\ndryversdocumentsandfullburomxcloud[.]com\r\ndryversdocumentsandfullcloud[.]com\r\ndryversdocumentsandfullcustomsoft[.]com\r\ndryversdocumentsatsettingswins[.]com\r\ndryversdocumentsettingswins[.]com\r\ndryversdocumentsolutionscloud[.]com\r\nk4l1m3r4.publicvm[.]com\r\nmycloudtoolzshop[.]net\r\nopendrivecouldrsafinder[.]com\r\nrsafinderfirewall[.]com\r\nrsapoints.ssl443[.]org\r\nrsaupdatr.jumpingcrab[.]com\r\nhttps://www.clearskysec.com/leetmx/\r\nPage 4 of 11\n\nrsause.ntdll[.]net\r\nsslwin.moneyhome[.]biz\r\nwins10up.16-b[.]it\r\nMexican origins\r\nMultiple parts of the malicious infrastructure indicate that the attackers are based in Mexico, as depicted in the\r\nMaltego graph below. (However, the reader should remember that these are only technical indicators and could all\r\nbe forged).\r\nDynamic DNS hosts used for command and control were allocated IPs by Mexican internet services\r\nproviders. For example, c0pywins.is-not-certified[.]com has been allocated addresses by AS8151 Uninet\r\nS.A. de C.V., MX, as can be seen in PassiveTotal:\r\nhttps://www.clearskysec.com/leetmx/\r\nPage 5 of 11\n\nMalware delivery domain rsafinderfirewall[.]com redirects to El Universal, a major Mexican\r\nnewspaper, when visited without the file-path of the malware (such\r\nas rsafinderfirewall[.]com/Es3tC0deR3name.exe):\r\nhttps://www.clearskysec.com/leetmx/\r\nPage 6 of 11\n\nPhysical address in Mexico in multiple domains Whois data:\r\nRegistrant Name: hector jesus herrera duron\r\nRegistrant Organization: motogplus\r\nRegistrant Street: c 29 no 300\r\nRegistrant City: merida\r\nRegistrant State/Province: Chiapas\r\nRegistrant Postal Code: 97000\r\nRegistrant Country: MX\r\nRegistrant Phone: +52.9991062881\r\nAttacker IP address in Mexico. In one targeting at least, the attackers used a URL shortening services that\r\npublicly displays the IP address of anyone who clicked the shorted URL.  The first click – likely the\r\nattacker testing the link before spreading it to victims – came from 189.215.52.168 , which belongs to\r\nMexican ISP Cablemas Telecomunicaciones:\r\nhttps://www.clearskysec.com/leetmx/\r\nPage 7 of 11\n\nIn this incident mostly Mexicans were targeted, as can be seen in the table below:\r\nCountry URL clicks\r\nMexico 343\r\nUnited States 79\r\nEl Salvador 67\r\nother 53\r\nLeet filenames\r\nThe attackers often use leetspeak alphabet in malware filenames. Below is a list of malware filenames converted\r\nfrom leet to plain English (via Universal Leet (L337, L33T, 1337) Converter):\r\nOriginal filename Conversion from Leet\r\nAd0v3upd4t3s2o17.exe Adoveupdates2017.exe\r\n0ff1ceval1dKey001[1].exe officevalidKeyooi[i].exe\r\nAFDsajgeoi.exe AFDsajgeoi.exe\r\nAd0v31ns5t411.exe Adoveinsstaii.exe\r\nOff1c3764.exe Officetga.exe\r\nad0v3upd4t3s2o16[1].exe adoveupdates2016[i].exe\r\nsqlwriter.exe sqlwriter.exe\r\nOff1cc3k3ysV4l1d.exe OfficceKeysValid.exe\r\nCudaUtil.exe CudaUtil.exe\r\nJavaupdate2017205.exe Javaupdate201705.exe\r\nhttps://www.clearskysec.com/leetmx/\r\nPage 8 of 11\n\nUSB Flash Security.exe USB Flash Security.exe\r\nJ4v4S3tups00.exe JavaSetupsoo.exe\r\nad0veupdates2o17.exe adoveupdates2017.exe\r\n0ff1c3v4l1dkey2017.exe officevalidkey2017.exe\r\nAd0v31n5t411.exe Adoveinstaii.exe\r\nOff1c3v4l1dK3y2017s[1].exe OfficevalidKey2017s[i].exe\r\nJavatmp2539891.exe Javatmp2539891.exe\r\nAVGPDTER465.exe AVGPDTER465.exe\r\nK3y2017s.exe Key2017.exe\r\nhp.exe hp.exe\r\nOff1c3v4l1dK3y2017s.exe OfficevalidKey2017.exe\r\nOff1cc3k3yV4l1ds.exe OfficcekeyValids.exe\r\njavaupdates2017.exe javaupdates2017.exe\r\nSerial IO.exe Serial IO.exe\r\n0ff1ceval1dKey001.exe officevalidKey001.exe\r\nJ4v4upd4t352017s.exe Javaupdates2017s.exe\r\nJav4upd4t3r4ds.exe JavaUpdaterads.exe\r\nAd0vs365489.exe Adovs365489.exe\r\nOff1cc3s4dd0ns.exe OfficcesAddons.exe\r\nMSNUNIN.EXE MSNUNIN.EXE\r\ngbrgeidf.exe gbrgeidf.exe\r\noct04.exe.exe octoa.exe.exe\r\nOff1c3TMP2018.exe OfficeTMP2018.exe\r\nIconToolkit.exe IconToolkit.exe\r\nAd0v365489.exe Adovegsa89.exe\r\nEs3tC0deR3name.exe EsetCodeRename.exe\r\nJ4v4S3tup00.exe JavaSetupoo.exe\r\nhttps://www.clearskysec.com/leetmx/\r\nPage 9 of 11\n\nJ4v4465632.exe Java465632.exe\r\nj4v4updat3s2016.exe javaupdates2016.exe\r\nAVGF1rr3w4ll.exe AVGFirrewall.exe\r\nJ4v4mxfullv3rsion.exe Javamxfullversion.exe\r\n0fficeV4lids00.exe officeValidsoo.exe\r\nMalware\r\nMore then 550 samples used in this campaign are available on VirusTotal. Most of them are Xtreme RAT variants\r\n(a short analysis by Sophos is available – Troj/Xrat-R , a PCAP is available in pcapanalysis.com) and iSpy\r\nKeylogger.\r\nIndicators of compromise\r\nIndicators of compromise are available for subscribers of the ClearSky threat intelligence service in MISP event\r\nnumber 249. Indicators are also available in the following CSV file: LeetMX-indicators.csv and on PassiveTotal.\r\nKey parts of the infrastructure are depicted in the Maltego graph below (click to enlarge):\r\nhttps://www.clearskysec.com/leetmx/\r\nPage 10 of 11\n\nSource: https://www.clearskysec.com/leetmx/\r\nhttps://www.clearskysec.com/leetmx/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.clearskysec.com/leetmx/"
	],
	"report_names": [
		"leetmx"
	],
	"threat_actors": [
		{
			"id": "8221eca0-d856-4e70-8576-ff79e40a2a7e",
			"created_at": "2022-10-25T16:07:23.78157Z",
			"updated_at": "2026-04-10T02:00:04.748788Z",
			"deleted_at": null,
			"main_name": "leetMX",
			"aliases": [],
			"source_name": "ETDA:leetMX",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434059,
	"ts_updated_at": 1775791404,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f0cc8e1d9cea06e241b696bd21d7051ef7c6fd0.pdf",
		"text": "https://archive.orkl.eu/6f0cc8e1d9cea06e241b696bd21d7051ef7c6fd0.txt",
		"img": "https://archive.orkl.eu/6f0cc8e1d9cea06e241b696bd21d7051ef7c6fd0.jpg"
	}
}