{
	"id": "7dad760d-6085-4cdb-b400-b8e8dc98fda7",
	"created_at": "2026-04-06T00:19:04.053017Z",
	"updated_at": "2026-04-10T03:21:05.274663Z",
	"deleted_at": null,
	"sha1_hash": "b1f35e1d1ae64d1d33b9dded9954bb089f0abbc6",
	"title": "Check Point Research exposes new versions of the BBTok banking malware, which targets clients of over 40 Mexican and Brazilian banks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63302,
	"plain_text": "Check Point Research exposes new versions of the BBTok banking\r\nmalware, which targets clients of over 40 Mexican and Brazilian\r\nbanks\r\nBy etal\r\nPublished: 2023-09-20 · Archived: 2026-04-05 16:02:14 UTC\r\nHighlights:\r\nCheck Point Research (CPR) recently discovered an active campaign deploying a new variant of the\r\nBBTok banking malware in Latin America\r\nOriginally exposed in 2020, the newly discovered variant of the malware replicates the interfaces of over\r\n40 Mexican and Brazilian banks, and tricks the infected victims into entering their 2FA code to their bank\r\naccounts or into entering their payment card number\r\nOver the time, the cybercriminals behind the malware are actively maintaining diversified infection chains\r\nfor different versions of Windows. Those chains employ a wide variety of file types, including ISO, ZIP,\r\nLNK, DOCX, JS and XLL\r\nCPR’s findings expose the threat actor’s evolution over time, and calls out users to remain alert when\r\nentering banking credentials and financial information\r\nBBTok hits LATAM\r\nCheck Point Research recently discovered an active campaign operating and deploying a new variant of the\r\nBBTok banking malware in Latin America. In the research, we highlight newly discovered infection chains that\r\nuses a unique combination of Living off the Land Binaries (LOLBins), resulting in low detection rates, even\r\nthough this BBTok banking malware has been operating  since 2020.\r\nAs we analyzed the campaign, we came across some of the threat actor’s server-side resources used in the attacks,\r\ntargeting hundreds of users in Brazil and Mexico.\r\nThe server-side components are responsible for serving malicious payloads that were probably distributed through\r\nphishing links. We have observed numerous iterations of the same server-side scripts and configuration files which\r\ndemonstrate the evolution of the BBTok banking malware deployment methods over time.\r\nThe evolution of BBTok\r\nThe BBTok banking malware, first revealed in 2020, was deployed in Latin America through fileless attacks. The\r\nbanking malware has a wide set of functionalities, including enumerating and killing processes, keyboard and\r\nmouse control and manipulating clipboard contents. Alongside those, BBTok contains classic banking Trojan\r\nfeatures, simulating fake login pages to a wide variety of banks operating in Mexico and Brazil.\r\nhttps://blog.checkpoint.com/security/check-point-research-exposes-new-versions-of-the-bbtok-banking-malware-which-targets-clients-of-over-40-mexican-and-brazilian-banks/\r\nPage 1 of 5\n\nSince it was first publicly disclosed, the BBTok operators have adopted new TTPs, all while still primarily\r\nutilizing phishing emails with attachments for the initial infection. Recently we have seen indications of the\r\nbanking malware distributed through phishing links, and not as attachments to the email itself.\r\nSince the last public reporting on BBTok in 2020, the operators’ techniques, tactics and procedures (TTPs) have\r\nevolved significantly, adding additional layers of obfuscation and downloaders, resulting in low detection rates.\r\nBBTok continues being active, targeting users in Brazil and Mexico, employing multi-layered geo-fencing to\r\nensure infected machines are from those countries only.\r\nMulti-layered geo-fencing is a sophisticated approach to creating virtual boundaries or zones in geographic areas.\r\nIt involves the use of multiple layers of these boundaries, each with its own set of specifications and criteria.\r\nThe BBTok banking malware has a dedicated functionality that replicates the interfaces of more than 40 Mexican\r\nand Brazilian banks, and tricks the malware victims into entering their 2FA code to their bank accounts or into\r\nentering their payment card number. An analysis of the payload server-side code revealed the actors are actively\r\nmaintaining diversified infection chains for different versions of Windows.\r\nPosing as legitimate institutions, these fake interfaces coax unsuspecting users into divulging personal and\r\nfinancial details, tricking the victim into entering the security code/ token number that serves as 2FA for bank\r\naccount and to conduct account takeovers of the victim’s bank account. In some cases, this capability also tricks\r\nthe victim into entering their payment card number.\r\nhttps://blog.checkpoint.com/security/check-point-research-exposes-new-versions-of-the-bbtok-banking-malware-which-targets-clients-of-over-40-mexican-and-brazilian-banks/\r\nPage 2 of 5\n\nFigure 1 – Examples of fake interfaces embedded within the BBTok Banker\r\nDuring the research, CPR were able to identify a database of some BBTok malware victims in Mexico, that\r\ncontained over 150 entries with victims’ information:\r\nFigure 2 – Database with victims information\r\nFigure 3 – Geographical distribution of the victims within Mexico\r\nBeware of online phishing attempts\r\nPhishing attacks can have a number of different goals, including malware delivery, stealing money, and credential\r\ntheft. However, most phishing scams designed to steal your personal information can be detected if you pay\r\nenough attention.\r\nHere are a few phishing prevention tips to keep in mind:\r\n1. Always be suspicious of password reset emails\r\nhttps://blog.checkpoint.com/security/check-point-research-exposes-new-versions-of-the-bbtok-banking-malware-which-targets-clients-of-over-40-mexican-and-brazilian-banks/\r\nPage 3 of 5\n\nPassword reset emails are designed to help when you cannot recall the password for your account. By clicking on\r\na link, you can reset the password to that account to something new. Not knowing your password is, of course,\r\nalso the problem that cybercriminals face when trying to gain access to your online accounts. By sending a fake\r\npassword reset email that directs you to a lookalike phishing site, they can convince you to type in your account\r\ncredentials and send those to them. If you receive an unsolicited password reset email, always visit the website\r\ndirectly (do not click on embedded links) and change your password to something different on that site (and any\r\nother sites with the same password).\r\n2. Never share your credentials\r\nCredential theft is a common goal of cyberattacks. Many people reuse the same usernames and passwords across\r\nmany different accounts, so stealing the credentials for a single account is likely to give an attacker access to a\r\nnumber of the user’s online accounts.\r\nAs a result, phishing attacks are designed to steal login credentials in various ways, such as:\r\nPhishing Sites: Attackers will create lookalike sites that require user authentication and point to these sites\r\nin their phishing emails. Beware of links that do not go where you expect them to.\r\nCredential-Stealing Malware: Not all attacks against your credentials are direct. Some phishing emails\r\ncarry malware, such as keyloggers or trojans, that are designed to eavesdrop when you type passwords into\r\nyour computer.\r\nSupport Scams: Cybercriminals may pose as customer support specialists from organisations like\r\nMicrosoft, Apple, and similar companies and ask for your login credentials while they “help” you with\r\nyour computer.\r\n3. Always note the language in the email\r\nSocial engineering techniques are designed to take advantage of human nature. This includes the fact that people\r\nare more likely to make mistakes when they’re in a hurry and are inclined to follow the orders of people in\r\npositions of authority.\r\nPhishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about\r\nan email and click on a link or open an attachment. Some common phishing techniques include:\r\nFake Order/Delivery: A phishing email will impersonate a trusted brand (Amazon, FedEx, etc.) stating\r\nthat you have made an order or have an incoming delivery. When you click to cancel the unauthorized\r\norder or delivery, the website (which belongs to a cybercriminal) will require authentication, enabling the\r\nattacker to steal login credentials.\r\nBusiness Email Compromise (BEC): BEC scams take advantage of hierarchy and authority within a\r\ncompany. An attacker will impersonate the CEO or other high-level executives and order the recipient of\r\nthe email to take some action, such as sending money to a certain bank account (that belongs to the\r\nscammer).\r\nFake Invoice: The phisher will pretend to be a legitimate vendor requesting payment of an outstanding\r\ninvoice. The end goal of this scam is to have money transferred to the attacker’s account or to deliver\r\nhttps://blog.checkpoint.com/security/check-point-research-exposes-new-versions-of-the-bbtok-banking-malware-which-targets-clients-of-over-40-mexican-and-brazilian-banks/\r\nPage 4 of 5\n\nmalware via a malicious document.\r\nProtecting Against Phishing Attacks: To learn more about protecting your organization against\r\nphishing, contact us and check out our advanced anti-phishing solution.\r\nCheck Point Customers using Threat Emulation and Check Point Harmony Endpoint remain protected\r\nagainst the threat reported in this research\r\nTo get the full research visit https://research.checkpoint.com/\r\nSource: https://blog.checkpoint.com/security/check-point-research-exposes-new-versions-of-the-bbtok-banking-malware-which-targets-clients-of-over-40-mexican-and-brazilian-banks/\r\nhttps://blog.checkpoint.com/security/check-point-research-exposes-new-versions-of-the-bbtok-banking-malware-which-targets-clients-of-over-40-mexican-and-brazilian-banks/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.checkpoint.com/security/check-point-research-exposes-new-versions-of-the-bbtok-banking-malware-which-targets-clients-of-over-40-mexican-and-brazilian-banks/"
	],
	"report_names": [
		"check-point-research-exposes-new-versions-of-the-bbtok-banking-malware-which-targets-clients-of-over-40-mexican-and-brazilian-banks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434744,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1f35e1d1ae64d1d33b9dded9954bb089f0abbc6.pdf",
		"text": "https://archive.orkl.eu/b1f35e1d1ae64d1d33b9dded9954bb089f0abbc6.txt",
		"img": "https://archive.orkl.eu/b1f35e1d1ae64d1d33b9dded9954bb089f0abbc6.jpg"
	}
}