{ "id": "ae6db5cf-41e9-4e44-a58c-821b0fba9494", "created_at": "2026-04-06T00:13:40.903795Z", "updated_at": "2026-04-10T03:36:33.649533Z", "deleted_at": null, "sha1_hash": "acf9b9e1d6cf790e43c0976e7c3a90abb2d74246", "title": "Dark Tequila Añejo", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1975012, "plain_text": "Dark Tequila Añejo\r\nBy GReAT\r\nPublished: 2018-08-21 · Archived: 2026-04-05 21:15:24 UTC\r\nAPT reports\r\nAPT reports\r\n21 Aug 2018\r\n 2 minute read\r\n GReAT\r\nhttps://securelist.com/dark-tequila-anejo/87528/\r\nPage 1 of 7\n\nDark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing\r\nfinancial information, as well as login credentials to popular websites that range from code versioning repositories\r\nto public file storage accounts and domain registrars.\r\nA multi-stage payload is delivered to the victim only when certain conditions are met; avoiding infection when\r\nsecurity suites are installed or the sample is being run in an analysis environment. From the target list retrieved\r\nfrom the final payload, this particular campaign targets customers of several Mexican banking institutions and\r\ncontains some comments embedded in the code written in the Spanish language, using words only spoken in Latin\r\nAmerica.\r\nMost of the victims are located in Mexico. The campaign has been active since at least 2013, so it is a very ‘añejo’\r\n(mature) product. There are two known infection vectors: spear-phishing and infection by USB device.\r\nThe threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in\r\nMexico or is not of interest, the malware is uninstalled remotely from the victim’s machine.\r\nhttps://securelist.com/dark-tequila-anejo/87528/\r\nPage 2 of 7\n\n(Translation for “Abrir la carpeta para ver los archivos” – “Open folder to see files”. The word “Archivos” is\r\nused by Spanish speakers from Latin America only)\r\nThe Dark Tequila malware and its supporting infrastructure are unusually sophisticated for a financial fraud\r\noperation. The malicious implant contains all the modules required for the operation and, when instructed to do so\r\nby net command server, different modules decrypt and activate. All stolen data is uploaded to the server in\r\nencrypted form.\r\nThis campaign modules are as follows:\r\nModule 1, which is responsible for communication with the command and control server. It verifies if a\r\nman-in-the-middle network check is being performed, by validating the certificates with a few very popular\r\nwebsites.\r\nModule 2 – CleanUp. If the service detects any kind of ‘suspicious’ activity in the environment, such as the\r\nfact that it is running on a virtual machine, or that debugging tools are running in the background, it will\r\nexecute this module to perform a full cleanup of the system, removing the persistence service as well as\r\nany files created previously on the system.\r\nModule 3 – Keylogger and Windows Monitor. This is designed to steal credentials from a long list of\r\nonline banking sites, as well as generic Cpanels, Plesk, online flight reservation systems, Microsoft\r\nhttps://securelist.com/dark-tequila-anejo/87528/\r\nPage 3 of 7\n\nOffice365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap,\r\nDropbox, Softlayer, Rackspace, and other services.\r\nModule 4 – Information stealer, which is designed to steal saved passwords in email and FTP clients, as\r\nwell as from browsers.\r\nModule 5 – The USB infector. This copies an executable file to a removable drive to run automatically.\r\nThis enables the malware to move offline through the victim’s network, even when only one machine was\r\ninitially compromised via spear-phishing. When another USB is connected to the infected computer, it\r\nautomatically becomes infected, and ready to spread the malware to another target.\r\nModule 6 – The service watchdog. This service is responsible for making sure that the malware is running\r\nproperly.\r\nAll the described modules are embedded inside the main sample and could be extracted during the analysis\r\nprocess.\r\nThe campaign remains active. It is designed to be deployed in any part of the world, and attack any targets\r\naccording to the interests of the threat actor behind it. Kaspersky Lab detects the campaign as\r\nTrojan.Win32.DarkTequila and Trojan.Win64.DarkTequila.\r\nReference hashes:\r\n4f49a01e02e8c47d84480f6fb92700aa091133c894821fff83c7502c7af136d9\r\ndce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47\r\nReference C2s:\r\nhttps://46[.]17[.]97[.]12/website/\r\nhttps://174[.]37[.]6[.]34/98157cdfe45945293201e71acb2394d2\r\nhttps://75[.]126[.]60[.]251/store/\r\nFor more information about this campaign, please contact us at financialintel@kaspersky.com\r\nhttps://securelist.com/dark-tequila-anejo/87528/\r\nPage 4 of 7\n\nLatest Webinars\r\nhttps://securelist.com/dark-tequila-anejo/87528/\r\nPage 5 of 7\n\nhttps://securelist.com/dark-tequila-anejo/87528/\r\nPage 6 of 7\n\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/dark-tequila-anejo/87528/\r\nhttps://securelist.com/dark-tequila-anejo/87528/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/dark-tequila-anejo/87528/" ], "report_names": [ "87528" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434420, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/acf9b9e1d6cf790e43c0976e7c3a90abb2d74246.pdf", "text": "https://archive.orkl.eu/acf9b9e1d6cf790e43c0976e7c3a90abb2d74246.txt", "img": "https://archive.orkl.eu/acf9b9e1d6cf790e43c0976e7c3a90abb2d74246.jpg" } }