{
	"id": "0f0b58e7-5ea9-4ce0-8b28-83501ea0ceff",
	"created_at": "2026-04-06T00:15:49.900397Z",
	"updated_at": "2026-04-10T13:11:40.054231Z",
	"deleted_at": null,
	"sha1_hash": "871a16b6b4c824d8780960c237cd0dbf401c34b9",
	"title": "Malware Campaigns Targeting African Banking Sector | HP Wolf Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 358486,
	"plain_text": "Malware Campaigns Targeting African Banking Sector | HP Wolf\r\nSecurity\r\nBy Patrick Schläpfer\r\nPublished: 2022-04-12 · Archived: 2026-04-05 20:07:49 UTC\r\nThe top motivation behind cybercrime is financial enrichment and the financial services industry is an attractive\r\ntarget for cybercriminals. In early 2022, HP Wolf Security detected a targeted malware campaign against an\r\nemployee of an African bank. The campaign caught our attention because of its targeted nature and how the threat\r\nactor attempted to deliver malware using HTML smuggling, a technique for sneaking malicious email attachments\r\npast gateway security controls. In this article, we describe the campaign, sharing how the attacker registered fake\r\nbanking domains to build a credible lure, and explain how HTML smuggling works.\r\nThe Campaign\r\nIn early 2022, an employee of a West African bank received an email purporting to be from a recruiter from\r\nanother African bank with information about job opportunities there. The domain used to send the email was\r\ntyposquatted and does not belong to the legitimate mimicked organization. A WHOIS request reveals the domain\r\nwas registered in December 2021 and visiting the website returned an HTTP 404 “Not found” response. To make\r\nthe lure more credible, the threat actor also included a reply-to address of another supposed employee of the\r\nrecruiting bank.\r\nSearching for other typosquatted domains relating to the mimicked organization revealed two more (Appendix 1)\r\nthat may be related to the same malware campaign. The second domain displayed a web page about the bank’s\r\nemployment application process, which was likely copied from the legitimate website.\r\nhttps://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/\r\nPage 1 of 9\n\nFigure 1 – Typosquatted bank website describing the job application process.\r\nThere is no malware hosted on the page itself, and no input form that could be used to elicit login credentials or\r\nsensitive information from visitors.\r\nThe third domain showed the mimicked bank’s homepage, which was also likely copied from the legitimate\r\nwebsite, but again we found no malware or signs that the site was being used for phishing.\r\nPurpose of the Typosquatted Domains\r\nOn typosquatted domains 2 and 3 we found had DNS TXT records for Sender Policy Framework (SPF) set up,\r\nsuggesting that they were likely used for sending malicious emails. If the websites were used for phishing or\r\nhosting malware, spending time to configure these records would not serve any purpose. Visiting the websites\r\nincreases the recipient’s trust in the email lure because they are shown content copied from the legitimate bank,\r\nultimately making them more likely to act upon the email.\r\nWe weren’t able to link all three domains together conclusively, however, domain 2 references the bank’s job\r\napplication process – the lure used in the malware campaign – and follows a very similar naming convention to\r\ndomain 1, so we think the same threat actor probably registered that infrastructure.\r\nCommon Fraud Methods Related to Banks\r\nPhishing Phishing is one of the most common scams targeting bank customers. The attacker\r\ncreates a website that imitates a bank’s legitimate login portal and sends the link to\r\nhttps://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/\r\nPage 2 of 9\n\npotential victims via email or SMS. If someone enters their login credentials into the\r\nform, the attacker can use them to log into the account. An effective way to defeat simple\r\nattacks like this is to enforce multi-factor authentication. To circumvent this, the attacker\r\nwould have to capture the second factor from the victim and log into the banking portal\r\nwhen the phishing takes place.\r\nFake\r\nbank/Investment\r\nscam\r\nIn the fake bank or investment scam the attacker builds a website imitating a legitimate\r\nbank or investment platform. The website is used to attract victims to register an\r\naccount, often promising strong returns through investments. When the victim logs into\r\nthe website they are shown a fund management tool. The attacker convinces the victim\r\nto transfer money using the tool, supposedly into their account. The money is transferred\r\nvia third-party providers, instead of normal bank transfers that are subject to stricter anti-fraud controls. The victim is shown a balance in their fake account, which increases as\r\nexpected with a good return. However, the money was in fact transferred to fraudster’s\r\naccount and is usually lost for good from the victim.\r\nMalware\r\ndistribution\r\nMalware is sometimes distributed via fake bank websites or emails pretending to be\r\nfrom banks. This is not exclusively Windows malware. The rise in popularity of\r\nsmartphone banking apps means that malware is often distributed as apps targeting\r\nsmartphone operating systems. Users should verify they are using the official mobile\r\nbanking application and in the case of emails and websites, make sure they have\r\naccessed to correct domain of their bank.\r\nMalware Analysis\r\nIn this campaign, the threat actor sent an HTML attachment Fiche de dossiers.htm to the recipient. Opening the\r\nfile in a text editor reveals the source code of the page (Figure 2).\r\nhttps://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/\r\nPage 3 of 9\n\nFigure 2 – Source code of HTML attachment Fiche de dossiers.htm.\r\nThe file contains encoded data and a decoding function. As can already be seen from the comment in the image\r\nabove, it is a Base64 encoded ISO file. Further down in the source code, this ISO file is decoded and offered to the\r\nuser in a web browser download prompt using a JavaScript blob (Figure 3).\r\nFigure 3 – Web browser download prompt offering to save the ISO file to the file system.\r\nHTML Smuggling\r\nHTML smuggling is a technique that enables attackers to sneak file formats that would otherwise be blocked past\r\nemail gateways by encoding them in an HTML file. JavaScript blobs or HTML5 download attributes can be used\r\nto decode and reconstruct the file. When the user opens the HTML attachment using a web browser, they are\r\nprompted to download the file, which is already stored on the local system. This way HTML smuggling bypasses\r\nsecurity controls that block malicious website traffic, such as web proxies. The technique is dangerous because\r\nHTML email attachments are not typically blocked at gateways and detecting the encoded malware can be\r\nhttps://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/\r\nPage 4 of 9\n\nchallenging. Using this technique, dangerous file types can be smuggled into an organization and lead to malware\r\ninfection.\r\nIn Windows 10, double clicking the ISO file causes it to be mounted as disc media, which opens a new File\r\nExplorer window that shows its contents.\r\nFigure 4 – Contents of ISO file Dossier Bad.iso.\r\nInside there is a Visual Basic Script (VBS) file called Fiche de candidature.vbs which is executed when double-clicked. One way to prevent the accidental execution of malicious VBS scripts is to change the default application\r\nof .vbs files to a text editor. This way a direct execution can be prevented. If we now open this file in an editor, we\r\nsee the following code (Figure 5).\r\nFigure 5 – VBS code containing variable and data definitions.\r\nhttps://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/\r\nPage 5 of 9\n\nThe script contains variables, such as a registry key or a path to PowerShell.exe, and some encoded data. When\r\nthe script is executed, it creates a new Registry key and stores a long hexadecimal string in it. Then PowerShell is\r\nexecuted and passing an encoded command. The corresponding code sequences can be seen in Figure 6.\r\nFigure 6 – Visual Basic Script code containing PowerShell execution.\r\nThe PowerShell script uses C# type definitions to call Windows API functions. First the script allocates a memory\r\narea with NtAllocateVirtualMemory. Then the previously stored hexadecimal string is read from the Registry and a\r\nnew byte array is created. The array is copied with RtlMoveMemory into the newly allocated memory area. The\r\ncopied byte array is shellcode which is executed via an API call to CallWindowProcW. For this purpose, only the\r\nmemory address of the shellcode is passed to the function as the first argument (WNDPROC), which is used as the\r\ncallback address causing malware to run.\r\nFigure 7 – PowerShell code using C# type definitions to execute malicious code.\r\nAnalyzing the shellcode with a debugger reveals a simple decryption function at the very beginning of the code.\r\nThe code is then decrypted using an XOR operation, which is located directly after the decryption function, and\r\nthen executed.\r\nhttps://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/\r\nPage 6 of 9\n\nFigure 8 – Shellcode decryption function.\r\nThe decrypted code is GuLoader. This malware is a loader that downloads and executes other malware families\r\nfrom the web. In this campaign GuLoader was configured to download and run RemcosRAT malware. For this\r\npurpose, there are two URLs in GuLoader’s configuration that lead to the RemcosRAT payload. One payload URL\r\nleads to OneDrive and the other to Dropbox. We have analyzed other malware campaigns involving GuLoader\r\nhave also used file sharing services to host malware payloads. Since the payload is also encrypted, it can be\r\nchallenging for service providers to detect and remove them.\r\nDelivered Payload\r\nRemcos is a commercial Windows remote access tool (RAT) that gives the operator significant control over the\r\ninfected system. Its capabilities include running remote commands, downloading and uploading files, taking\r\nscreenshots, recording keystrokes and recording the user’s webcam and microphone. While we don’t know for\r\ncertain what the attacker would have used their access for, but here are some possibilities:\r\nLong term persistent access with the objective of making fraudulent transactions, for example through the\r\nSWIFT payment system. This would require the threat actor to deploy tools to understand the network,\r\nmove laterally, monitor internal procedures and take advantage of them. The attacker might take advantage\r\nof the employee’s position in the bank since they would have access to their corporate email account.\r\nMove laterally with the goal of compromising domain controllers to deploy ransomware. They might also\r\nsteal sensitive/protected data that could be used to extort the target.\r\nSell their access to another threat actor.\r\nConclusion\r\nHP Wolf Security detected a targeted malware campaign on the banking sector in Africa. The attacker sent emails\r\nfrom typosquatted domains of a legitimate bank luring them to apply for a job by opening a malicious attachment.\r\nIf the user opens the HTML file, they are prompted to download an ISO file, which in turn contains a Visual Basic\r\nscript that leads to a malware infection when executed. This technique is called HTML smuggling and is\r\ndangerous because it enables attackers to smuggle malicious files past email gateway security.\r\nThe downloader used in the described campaign is GuLoader, which is executed using PowerShell via code stored\r\nthe Registry and is otherwise only run in memory. Detecting such a chain of infection is not easy, as the malware\r\nis only located in memory and the Registry. However, one simple way of breaking the infection chain is changing\r\nthe default application for script files from Windows Script Host to something else, for example, Notepad.\r\nhttps://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/\r\nPage 7 of 9\n\nOrganizations should also make sure they have visibility over their network to monitor and block unusual process\r\nbehavior at an early stage. Beyond this, it is important for employees to critically question emails, especially those\r\nthat appeal to a sense of urgency, curiosity and authority – characteristics that are commonly exploited by\r\nattackers.\r\nIndicators of Compromise\r\nThe files of the following hashes can also be found MalwareBazaar.\r\nHTML file:\r\n9af5400545853d895f82b0259a7dafd0a9c1465c374b0925cc83f14dd29b29c5\r\nISO file:\r\n7079ff76eb4b9d891fd04159008c477f6c7b10357b5bba52907c2eb0645887aa\r\nVBS script:\r\n43aaa7f39e9bb4039f70daf61d84b4cde2b3273112f9d022242f841a4829da03\r\nPowerShell script:\r\n0407eab084e910bdd6368f73b75ba2e951e3b545d0c9477e6971ffe6a52a273a\r\nEncrypted GuLoader shellcode:\r\nd681b39362fae43843b1c6058c0aa8199673052507e5c500b7361c935037e05e\r\nRemcosRAT Payload URLs:\r\nhxxps://onedrive.live[.]com/download?\r\ncid=50D26408C26A8B34\u0026resid=50D26408C26A8B34%21114\u0026authkey=AGW61DvT-RT_FRU\r\nhxxps://www.dropbox[.]com/s/veqimnoofpaqmx1/rmss_umUIGF84.bin?dl=1\r\nEncrypted RemcosRAT payload:\r\n5d45422cf2c38af734cee5a5c9fa2fef005f9409d5d5b74814aea1a5f246835d\r\nTyposquatted Domains\r\nThe following domains were typosquatted by the threat actor to impersonate a credible and legitimate organization\r\nand do not represent a vulnerability affecting the organization.\r\nTyposquatted domain 1 afbd-bad[.]org\r\nTyposquatted domain 2 afdb-bad[.]org\r\nhttps://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/\r\nPage 8 of 9\n\nTyposquatted domain 3 afdb-za[.]org\r\nSource: https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/\r\nhttps://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/"
	],
	"report_names": [
		"malware-campaigns-targeting-african-banking-sector"
	],
	"threat_actors": [],
	"ts_created_at": 1775434549,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/871a16b6b4c824d8780960c237cd0dbf401c34b9.pdf",
		"text": "https://archive.orkl.eu/871a16b6b4c824d8780960c237cd0dbf401c34b9.txt",
		"img": "https://archive.orkl.eu/871a16b6b4c824d8780960c237cd0dbf401c34b9.jpg"
	}
}