{
	"id": "68985e1b-3853-4a4b-bb59-5b8b8f25622b",
	"created_at": "2026-04-06T00:11:55.742651Z",
	"updated_at": "2026-04-10T13:12:36.948411Z",
	"deleted_at": null,
	"sha1_hash": "7ee541a86a49615d9737bcaf2288434f7ee61aca",
	"title": "Mekotio Banking Trojan Threatens Financial Systems in Latin America",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41199,
	"plain_text": "Mekotio Banking Trojan Threatens Financial Systems in Latin\r\nAmerica\r\nBy By: Trend Micro Research Jul 04, 2024 Read time: 2 min (627 words)\r\nPublished: 2024-07-04 · Archived: 2026-04-05 16:02:57 UTC\r\nIntroduction\r\nThe Mekotio banking trojan is  a sophisticated piece of malware that has been active since at least 2015, primarily\r\ntargeting Latin American countries with the goal of stealing sensitive information — particularly banking\r\ncredentials — from its targets. Originating in the Latin American region, it has been particularly prolific in Brazil,\r\nChile, Mexico, Spain, and Peru. Furthermore, Mekotio seems to share a common origin with other notable Latin\r\nAmerican banking malware such as Grandoreiro, which was disrupted by law enforcement earlier this year.\r\nMekotio is often delivered through phishing emails, employing social engineering to trick users into interacting\r\nwith malicious links or attachments.\r\nWe’ve recently seen a surge in attacks involving Mekotio among our customers. In this blog entry, we'll provide\r\nan overview of the trojan and what it does.\r\nHow Mekotio Works\r\nFigure 1 shows the attack chain for a Mekotio infection:\r\nMekotio typically arrives through emails that appear to be from tax agencies alleging that the user has unpaid tax\r\nobligations. These emails contain a ZIP file attachment or a link to a malicious site. Once the user interacts with\r\nthe email, the malware is downloaded and executed on their system. In our analysis, the attachment is a PDF file\r\nthat contains the malicious link.\r\nUpon execution, Mekotio gathers system information and establishes a connection with a command- and-control\r\n(C\u0026C) server. This server provides instructions and a list of tasks for the malware to perform.\r\nOnce inside the system, Mekotio performs the following malicious activities:\r\nCredential Theft: Mekotio's main goal is to steal banking credentials. It achieves this by displaying fake\r\npop-ups that mimic legitimate banking sites, tricking users into entering their details, which the trojan then\r\nproceeds to harvest.\r\nInformation Gathering: Mekotio can capture screenshots, log keystrokes, and steal clipboard data.\r\nPersistence Mechanisms: Mekotio employs various tactics to maintain its presence on the infected\r\nsystem, including adding itself to startup programs or creating scheduled tasks.\r\nThe stolen banking information is sent back to the C\u0026C server, where it can be further used by malicious actors\r\nfor fraudulent activities, such as unauthorized access to bank accounts.\r\nhttps://www.trendmicro.com/en_us/research/24/g/mekotio-banking-trojan.html\r\nPage 1 of 2\n\nMitigation\r\nBy practicing proper security best practices, users can protect themselves from threats that are primarily delivered\r\nvia email. These include the following:\r\nBeing skeptical of unsolicited emails\r\nUsers should verify the sender’s email address, look for spelling and grammar mistakes, and scrutinize\r\nsubject lines.\r\nAvoiding clicking on links and downloading attachments\r\nUsers should hover over links to check URLs and avoid downloading attachments in general unless\r\nabsolutely certain of the sender’s identity.\r\nVerifying sender identity\r\nUsers should directly contact the sender using known contact details and compare the email with previous\r\ncorrespondence if they suspect that the email might be malicious.\r\nUsing email filters and anti-spam software\r\nOrganizations should ensure that spam filters and other security tools are turned on and are up to date.\r\nReporting phishing Attempts\r\nUsers should report phishing attempts to their IT and security teams when applicable.\r\nEducating employees on security best practices\r\nOrganizations should educate their employees on phishing and social engineering tactics, as well as\r\nconduct regular phishing awareness training.\r\nConclusion\r\nThe Mekotio banking trojan is a persistent and evolving threat to financial systems, especially in Latin American\r\ncountries. It uses phishing emails to infiltrate systems, with the goal of stealing sensitive information while also\r\nmaintaining a strong foothold on compromised machines. By adhering to recommended security practices, such as\r\nverifying email authenticity, avoiding suspicious links and attachments, and employing robust cybersecurity\r\nsolutions, individuals and organizations can significantly reduce the risk of falling victim to this dangerous\r\nmalware. \r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nSource: https://www.trendmicro.com/en_us/research/24/g/mekotio-banking-trojan.html\r\nhttps://www.trendmicro.com/en_us/research/24/g/mekotio-banking-trojan.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/24/g/mekotio-banking-trojan.html"
	],
	"report_names": [
		"mekotio-banking-trojan.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434315,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ee541a86a49615d9737bcaf2288434f7ee61aca.pdf",
		"text": "https://archive.orkl.eu/7ee541a86a49615d9737bcaf2288434f7ee61aca.txt",
		"img": "https://archive.orkl.eu/7ee541a86a49615d9737bcaf2288434f7ee61aca.jpg"
	}
}