{
	"id": "7c577970-dfbe-4232-bf45-42c54f8cd29c",
	"created_at": "2026-04-06T00:07:13.162267Z",
	"updated_at": "2026-04-10T13:12:34.068759Z",
	"deleted_at": null,
	"sha1_hash": "dd3af30c6b21e69774d37aa160dc003819c9c5ce",
	"title": "TA2721's Spanish Email Threats with Bandook Malware | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 410836,
	"plain_text": "TA2721's Spanish Email Threats with Bandook Malware | Proofpoint US\r\nBy Joe Wise, Konstantin Klinger, Selena Larson and the Proofpoint Threat Research Team\r\nPublished: 2021-07-15 · Archived: 2026-04-05 18:08:14 UTC\r\nKey Findings  \r\nProofpoint researchers identified a new group, TA2721 distributing Spanish-language email threats. \r\nThe group often targets individuals with Spanish-language surnames at global organizations representing multiple\r\ndifferent industries. \r\nThe infection chain features a PDF containing a URL that leads to an encrypted RAR file which\r\ninstalls Bandook malware.  \r\nThe threat actor tends to use the same command and control (C2) infrastructure for weeks or months at a\r\ntime. Proofpoint has only seen three different C2 domains in the last six months. \r\nBandook is an old malware that is not used by many threat actors. \r\nOverview  \r\nProofpoint researchers identified a new and highly active threat group, TA2721, also colloquially referred to by our\r\nresearchers as Caliente Bandits. The group targets multiple industries from finance to entertainment. The group uses\r\nSpanish-languages lures to distribute a known – but infrequently used – remote access trojan (RAT)\r\ncalled Bandook. Proofpoint researchers nicknamed the group Caliente Bandits for their use of Hotmail email accounts –\r\n “caliente” is the Spanish word for “hot.”   \r\nProofpoint researchers began tracking this group in January 2021 and have observed TA2721 distribute email threats\r\ndelivering Bandook every week since April. The campaigns are low volume, with fewer than 300 messages per\r\ncampaign. The threats target entities globally, but the threat actors mostly impact individuals with Spanish surnames at these\r\norganizations. Cybersecurity firm ESET first published details of the malware used by this group. \r\nCampaign Details  \r\nTA2721 leverages the same type of budget or payment-themed lures throughout its campaigns to prompt a user to download\r\na PDF.  \r\n \r\nFigure 1: Email sample masquerading as a budget/quotation proposal. \r\nThe attached PDF contains an embedded URL and password that, when clicked, leads to the download of a password\r\nprotected compressed executable that contains Bandook.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook\r\nPage 1 of 7\n\nFigure 2: PDF containing a malicious link and password that leads to the download Bandook. \r\nProofpoint researchers observed TA2721 sending low-volume campaigns impacting less than 100 organizations at a\r\ntime since January 2021. Targets include entities in manufacturing, automotive, food and beverage, entertainment and\r\nmedia, banking, insurance, and agriculture. Targeted organizations included entities in the U.S., Europe, and South America,\r\nboth multinational organizations as well as smaller businesses. Only a handful of individuals are targeted at each\r\norganization, and most have Spanish-language surnames, such as Pérez, Castillo, Ortiz, etc.  \r\nThe targeting suggests TA2721 conducts reconnaissance and attack planning to obtain employee data and contact\r\ninformation. The group appears to target individuals that may speak Spanish, increasingly the likelihood of a successful\r\ncompromise.  \r\nDelivery and Installation \r\nProofpoint researchers have observed this actor distributing two different Bandook variants. Bandook is commodity\r\nmalware, but the tactics used in the campaigns demonstrate some attempts to evade detection and add additional effort for\r\nthe attacker. The password-protection of the malicious archive is an easy way to make detection by automatic analysis\r\nproducts harder, and the specific focus on Spanish-language surnames coupled with low volume targeting suggests the threat\r\nactor conducted reconnaissance before deploying campaigns. \r\nNearly all observed campaigns contained PDF attachments containing links to the Bandook download, however in one June\r\ncampaign the threat actor began using URLs in the messages directly. \r\nTA2721 sends Spanish-language messages masquerading as companies located in South America, typically Venezuela, and\r\nMexico. They are sent from Hotmail or Gmail email addresses. Subjects and filenames typically contain the\r\nterms \"PRESUPUESTO (Budget)\", \"COTIZACION (Quotation)\", and \"rcibo de pago (receipt of payment)\". \r\nTA2721 generally uses the same command and control (C2) infrastructure for weeks or months at a time. For example:  \r\n“s1[.]megawoc[.]com” was used in January. \r\n“d1[.]ngobmc[.]com” was used from March to June.   \r\n“r1[.]panjo[.]club” was used since June. \r\nThe URLs observed from January through June 2021 used shortener URLs such as bit[.]ly and rebrand[.]ly links.\r\nThese redirect to spideroak[.]com, an enterprise security file sharing platform. The URLs lead to the download of a\r\npassword protected RAR file that installs Bandook. \r\nMalware Analysis  \r\nBandook is a commercially available RAT written in Delphi and has been seen in the wild since at least 2007. Researchers\r\nhave published details about multiple now publicly-available variants. Bandook can capture screenshots, video, keylogging,\r\nand audio on the host, and can be used for information gathering operations.  \r\nDespite its availability and age of use, Proofpoint does not observe any other threat actor currently using this malware. In\r\nfact, since 2015, Proofpoint has observed around 40 total campaigns distributing this malware, with the\r\n2021 TA2721 campaigns making up more than 50% of the observed activity. According to MITRE ATT\u0026CK’s malware\r\nwiki, Bandook is not widely used. \r\nThe following is an example of a TA2721 attack chain with the identified sample: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook\r\nPage 2 of 7\n\nSubject: COMPROBANTE DE PAGO LOGSITICA CARACAS CA \r\nSender: logvenccs@doca-safety[.]com \r\nAttachment: comprobante de pago corporacion alfeca, c.a..pdf \r\nPDF: 5eaa1f5305f4c25292dff29257cd3e14ba3f956f6f8ddb206c0ee3e09af8244e \r\nBandook: 561cb93118fef1966a3233ae7ffd31017823dd5aaad5dc1b2542e717055c197a \r\n \r\nFigure 3: TA2721 attack chain. \r\nThe email contains a PDF attachment. A URL inside the PDF leads to a password protected RAR archive. The password for\r\nthe RAR can be found in the initial PDF attachment (123456). Although the threat actors have changed URL shorteners and\r\nC2 domains, the archive password remains the same in every campaign.  \r\n \r\nFigure 4: PDF containing a link to malware hosted on the Spider Oak filesharing service. \r\nThe PDF contains the following URL: \r\nhxxps[:]//bit[.]ly/bcomprob-sbaa1 \r\nWhich directs to: \r\nhxxps[:]//spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMNBSHE2TM/shared/1764556-1-\r\n1104/COMPROBANTE[.]rar?e22cde1331099985a6339fac899e3ebe \r\nAnd downloads COMPROBANTE.rar with the following hash: \r\n 39ce7b1e2dc1d4fe3bee24a9be8bea52bcb9028b50090731e5fff586106c264f \r\nThe extracted file contains the following Bandook executable:  \r\nFilename: COMPROBANTE.exe \r\nHash: 561cb93118fef1966a3233ae7ffd31017823dd5aaad5dc1b2542e717055c197a \r\nThe executable is packed multiple times (e.g. UPX). The strings are base64 encoded and encrypted which makes\r\nit difficult to reverse engineer. When executed, it creates a new Internet Explorer process (iexplore.exe) and injects\r\nthe Bandook payload into it. This process is called Process Hollowing.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook\r\nPage 3 of 7\n\nBandook maintains persistence by creating a copy of itself and adding an entry to the run keys in the Microsoft Registry\r\npointing to the copy that will load every time a user logs on. \r\nKey: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\xxhgjyljicoftqsffwxx \r\nData: C:\\Users\\[user]\\AppData\\Roaming\\xxhgjyljicoftqsffwxx\\xxhgjyljicoftqsffwxx.exe \r\nThe Bandook version used by the Caliente Bandits actor is similar to the one reported by Checkpoint in November 2020.\r\nThe identified samples also use AES encryption in CFB mode for C2 communication using a hardcoded\r\nkey, and an initialization vector (IV) which is not part of the publicly available Bandook versions. \r\nBandook Configuration \r\nPrimary C2: r3[.]panjo[.]club:7893 \r\nFallback C2: hxxp[:]//ladvsa[.]club/Hayauaia/ \r\nAES_CFB_Key: HuZ82K83ad392jVBhr2Au383Pud82AuF \r\nAES_CFB_IV: 0123456789123456 \r\nSo far Proofpoint has observed only one hardcoded AES Key and IV value used by Caliente Bandits. \r\nThe payload connects to the C2 server over TCP and sends AES Encrypted basic information about the infected machine to\r\nthe C2 server. There is a main C2 domain and port, but also at least one fallback C2 server. \r\nExample C2 communication: \r\nAn encrypted TCP Beacon is sent to r3[.]panjo[.]club:7893.  \r\nNI3B/VGNQOWJuJcQAnbGe/G61uhAy4GYmdnmFINKBGqWguDaTfoBUpvbIU+eXfiFOuOFhoFBB082Csj3qSZuKOG4HeBWO28K85yCos0NNYO\r\nAnalyst Note: The AES encrypted traffic is always suffixed by “\u0026\u0026\u0026”. \r\nThe decrypted TCP Beacon that was sent to r3[.]panjo[.]club:7893.  \r\n!O12HYV~!22535~!192.168.0.107~!XTWGHENV~!dwrsApXT~!Seven~!0d 3h\r\n24m~!0~!5.2~!JN2021~!0~!0~!0~!0~!~!0~!0--~!None~!0~!21/6/2021~! \r\nThe decoded and decrypted TCP Beacon looks like Bandook C2 communication observed in previously reported incidents.\r\nVarious basic system information is appended with “~!” as a delimiter.  \r\nValue  Purpose \r\nO12HYV  Unknown, possibly unique victim ID \r\n22535  Unknown, possible set Registry value for persistence \r\n192[.]168[.]0[.]107  IP address of infected machine \r\nXTWGHENV  Computer name \r\ndwrsApXT  Username \r\nSeven  Operating System (Windows 7, Windows 10, etc.) \r\n0d 3h 24m  Uptime \r\n0  Unknown \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook\r\nPage 4 of 7\n\n5.2  Unknown, possible Bandook versioning \r\nJN2021  Unknown, possible campaign date or ID \r\n21/6/2021  Current date \r\nProofpoint identified a third C2 server which pointed to a localhost address in all Bandook samples associated with\r\nTA2721. \r\nhxxp[:]//localhost:9991/KBL/ \r\nProofpoint believes that this an artifact of the actor testing the malware that was mistakenly included by the actor after\r\ntesting and attacking victims in real campaigns. \r\nConclusion  \r\nProofpoint assesses TA2721 will continue to use of a limited set of Bandook malware variants, similar infection chain, and\r\na select few C2 domains . The specific targeting suggests the threat actor conducts some reconnaissance on target entities\r\nbefore sending email threats.  \r\nProofpoint researchers anticipate this actor will continue to use similar email lures, infection chains, and passwords\r\nwhile rotating through C2 domains.  \r\nIndicators of Compromise (IOCs)  \r\nIOC  \r\nIOC\r\nType  \r\nDescription  \r\nba1355c5e24c431a34bae10915f7cc9b4b1a8843dc79d9c63f1a13f0f9d099f7 \r\nSHA256\r\nHash \r\n“cotizacion corporacion\r\nPDF June 21st  \r\nhxxps[:]//bit[.]ly/acotiz-abaa1  URL  URL inside PDF June 2\r\nhxxps[:]//spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMNBSHE2TM/shared/1764556-\r\n1-1105/COTIZACION 21[.]rar?17afe9bc9463ab5de84bd956cf4dfa9e \r\nURL  Unshortened Bitly URL\r\na37c79c57ae9e2d681e5f9ef92798278d2bec68bcd91f08d96768e3fe8d5af19 \r\nSHA256\r\nHash \r\n“COTIZACION 21.rar”\r\nDownloaded Rar archiv\r\n21st (password: 123456\r\n561cb93118fef1966a3233ae7ffd31017823dd5aaad5dc1b2542e717055c197a \r\nSHA256\r\nHash \r\n“COTIZACION 21.exe\r\ninside Rar June 21st  \r\nr3[.]panjo[.]club:7893  C2 \r\nPrimary C2 of Bandook\r\n21st  \r\nhxxp[:]//ladvsa[.]club/Hayauaia/  C2 \r\nFallback C2 of Bandoo\r\n21st  \r\n5eaa1f5305f4c25292dff29257cd3e14ba3f956f6f8ddb206c0ee3e09af8244e \r\nSHA256\r\nHash \r\n”comprobante de pago \r\nc.a..pdf” PDF June 21st\r\nhxxps[:]//bit[.]ly/bcomprob-sbaa1  URL  URL inside PDF June 2\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook\r\nPage 5 of 7\n\nhxxps[:]//spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMNBSHE2TM/shared/1764556-\r\n1-1104/COMPROBANTE[.]rar?e22cde1331099985a6339fac899e3ebe \r\nURL  Unshortened Bitly URL\r\n39ce7b1e2dc1d4fe3bee24a9be8bea52bcb9028b50090731e5fff586106c264f \r\nSHA256\r\nHash \r\n“COMPROBANTE.rar\r\nDownloaded Rar archiv\r\n21st (password: 123456\r\n561cb93118fef1966a3233ae7ffd31017823dd5aaad5dc1b2542e717055c197a \r\nSHA256\r\nHash \r\n“COMPROBANTE.exe\r\ninside Rar June 21st  \r\nET Signatures    \r\n2003549 - ET MALWARE Bandook v1.2 Initial Connection and Report \r\n2003550 - ET MALWARE Bandook v1.2 Get Processes \r\n2003551 - ET MALWARE Bandook v1.2 Kill Process Command \r\n2003552 - ET MALWARE Bandook v1.2 Reporting Socks Proxy Active \r\n2003553 - ET MALWARE Bandook v1.2 Reporting Socks Proxy Off \r\n2003554 - ET MALWARE Bandook v1.2 Client Ping Reply \r\n2003555 - ET MALWARE Bandook v1.35 Initial Connection and Report \r\n2003556 - ET MALWARE Bandook v1.35 Keepalive Send \r\n2003557 - ET MALWARE Bandook v1.35 Keepalive Reply \r\n2003558 - ET MALWARE Bandook v1.35 Create Registry Key Command Send \r\n2003559 - ET MALWARE Bandook v1.35 Create Directory Command Send \r\n2003560 - ET MALWARE Bandook v1.35 Window List Command Send \r\n2003561 - ET MALWARE Bandook v1.35 Window List Reply \r\n2003562 - ET MALWARE Bandook v1.35 Get Processes Command Send \r\n2003563 - ET MALWARE Bandook v1.35 Start Socks5 Proxy Command Send \r\n2003564 - ET MALWARE Bandook v1.35 Socks5 Proxy Start Command Reply \r\n2003565 - ET MALWARE Bandook v1.35 Get Processes Command Reply \r\n2003937 - ET MALWARE Bandook iwebho/BBB-phish trojan leaking user data \r\n2805272 - ETPRO MALWARE Bandook Variant CnC Checkin \r\n2810120 - ETPRO MALWARE Bandook Retrieving Payloads set \r\n2810121 - ETPRO MALWARE Bandook Retrieving Payloads \r\n2810122 - ETPRO MALWARE Bandook Initial HTTP CnC Beacon \r\n2810123 - ETPRO MALWARE Bandook Initial HTTP CnC Beacon Response \r\n2810124 - ETPRO MALWARE Bandook HTTP CnC Beacon M1 \r\n2810125 - ETPRO MALWARE Bandook HTTP CnC Beacon M2 \r\n2810126 - ETPRO MALWARE Bandook HTTP CnC Beacon M3 \r\n2810127 - ETPRO MALWARE Bandook HTTP CnC Beacon Response \r\n2810128 - ETPRO MALWARE Bandook TCP CnC Beacon \r\n2810129 - ETPRO MALWARE Bandook TCP CnC Beacon Response \r\n2814671 - ETPRO MALWARE Bandook Retrieving Payload (cap) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook\r\nPage 6 of 7\n\n2814672 - ETPRO MALWARE Bandook Retrieving Payload (tv) \r\n2839949 - ETPRO MALWARE Bandook v0.5FM TCP CnC Beacon \r\n2841218 - ETPRO MALWARE Bandook TCP CnC Beacon \r\n2841802 - ETPRO MALWARE Suspected Bandook CnC M1 \r\n2841803 - ETPRO MALWARE Suspected Bandook CnC Response \r\n2845793 - ETPRO MALWARE Suspected Bandook CnC M2 \r\n2848605 - ETPRO MALWARE Bandook TCP CnC Beacon Keep-Alive (Inbound) \r\n2848616 - ETPRO MALWARE Bandook TCP CnC Beacon Keep-Alive (Inbound) \r\n2848728 - ETPRO MALWARE Bandook v0.5FM TCP CnC Beacon M2 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook"
	],
	"report_names": [
		"new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook"
	],
	"threat_actors": [
		{
			"id": "8c13dbc9-7555-4c84-a414-2aba8422cf52",
			"created_at": "2024-01-23T13:22:35.083516Z",
			"updated_at": "2026-04-10T02:00:03.521023Z",
			"deleted_at": null,
			"main_name": "Caliente Bandits",
			"aliases": [
				"TA2721"
			],
			"source_name": "MISPGALAXY:Caliente Bandits",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434033,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd3af30c6b21e69774d37aa160dc003819c9c5ce.pdf",
		"text": "https://archive.orkl.eu/dd3af30c6b21e69774d37aa160dc003819c9c5ce.txt",
		"img": "https://archive.orkl.eu/dd3af30c6b21e69774d37aa160dc003819c9c5ce.jpg"
	}
}