{
	"id": "034312f6-8480-46e4-82bf-a6d127aaf36f",
	"created_at": "2026-04-06T00:06:24.79285Z",
	"updated_at": "2026-04-10T13:11:18.982465Z",
	"deleted_at": null,
	"sha1_hash": "be2605e4c6bd6caac094704fcc511b2337db7229",
	"title": "Massive Phishing Campaign Strikes Latin America: Venom RAT Targeting Multiple Sectors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 269249,
	"plain_text": "Massive Phishing Campaign Strikes Latin America: Venom RAT\r\nTargeting Multiple Sectors\r\nBy The Hacker News\r\nPublished: 2024-04-02 · Archived: 2026-04-05 22:01:25 UTC\r\nThe threat actor known as TA558 has been attributed to a new massive phishing campaign that targets a wide\r\nrange of sectors in Latin America with the goal of deploying Venom RAT.\r\nThe attacks primarily singled out hotel, travel, trading, financial, manufacturing, industrial, and government\r\nverticals in Spain, Mexico, the United States, Colombia, Portugal, Brazil, Dominican Republic, and Argentina.\r\nActive since at least 2018, TA558 has a history of targeting entities in the LATAM region to deliver a variety of\r\nmalware such as Loda RAT, Vjw0rm, and Revenge RAT.\r\nThe latest infection chain, according to Perception Point researcher Idan Tarab, leverages phishing emails as an\r\ninitial access vector to drop Venom RAT, a fork of Quasar RAT that comes with capabilities to harvest sensitive\r\ndata and commandeer systems remotely.\r\nThe disclosure comes as threat actors have been increasingly observed using the DarkGate malware loader\r\nfollowing the law enforcement takedown of QakBot last year to target financial institutions in Europe and the U.S.\r\nhttps://thehackernews.com/2024/04/massive-phishing-campaign-strikes-latin.html\r\nPage 1 of 3\n\n\"Ransomware groups utilize DarkGate to create an initial foothold and to deploy various types of malware in\r\ncorporate networks,\" EclecticIQ researcher Arda Büyükkaya noted.\r\n\"These include, but are not limited to, info-stealers, ransomware, and remote management tools. The objective of\r\nthese threat actors is to increase the number of infected devices and the volume of data exfiltrated from a victim.\"\r\nIt also follows the emergence of malvertising campaigns designed to deliver malware like FakeUpdates (aka\r\nSocGholish), Nitrogen, and Rhadamanthys.\r\nEarlier this month, Israeli ad security company GeoEdge revealed that a notorious malvertising group tracked\r\nas ScamClub \"has shifted its focus towards video malvertising assaults, resulting in a surge in VAST-forced\r\nredirect volumes since February 11, 2024.\"\r\nThe attacks entail the malicious use of Video Ad Serving Templates (VAST) tags – which are used for video\r\nadvertising – to redirect unsuspecting users to fraudulent or scam pages but only upon successful passage of\r\ncertain client-side and server-side fingerprinting techniques.\r\nA majority of the victims are located in the U.S. (60.5%), followed by Canada (7.2%), the U.K. (4.8%), Germany\r\n(2.1%), and Malaysia (1.7%), among others.\r\nhttps://thehackernews.com/2024/04/massive-phishing-campaign-strikes-latin.html\r\nPage 2 of 3\n\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2024/04/massive-phishing-campaign-strikes-latin.html\r\nhttps://thehackernews.com/2024/04/massive-phishing-campaign-strikes-latin.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thehackernews.com/2024/04/massive-phishing-campaign-strikes-latin.html"
	],
	"report_names": [
		"massive-phishing-campaign-strikes-latin.html"
	],
	"threat_actors": [
		{
			"id": "316b23b5-e097-4dc6-8b1c-d096860c6c16",
			"created_at": "2022-10-25T16:07:24.290801Z",
			"updated_at": "2026-04-10T02:00:04.924688Z",
			"deleted_at": null,
			"main_name": "TA558",
			"aliases": [],
			"source_name": "ETDA:TA558",
			"tools": [
				"AZORult",
				"AsyncRAT",
				"Bladabindi",
				"ExtRat",
				"Jorik",
				"Loda",
				"Loda RAT",
				"LodaRAT",
				"Nymeria",
				"PuffStealer",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"Rultazo",
				"Socmer",
				"Vengeance Justice Worm",
				"Vjw0rm",
				"Xtreme RAT",
				"XtremeRAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cf91b389-9602-45c0-8d6b-c61d14800f54",
			"created_at": "2023-01-06T13:46:39.448277Z",
			"updated_at": "2026-04-10T02:00:03.332604Z",
			"deleted_at": null,
			"main_name": "TA558",
			"aliases": [],
			"source_name": "MISPGALAXY:TA558",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433984,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be2605e4c6bd6caac094704fcc511b2337db7229.pdf",
		"text": "https://archive.orkl.eu/be2605e4c6bd6caac094704fcc511b2337db7229.txt",
		"img": "https://archive.orkl.eu/be2605e4c6bd6caac094704fcc511b2337db7229.jpg"
	}
}