{ "id": "b701fcc9-88f1-4fcd-a3ab-6ad970244861", "created_at": "2026-04-06T00:10:33.915663Z", "updated_at": "2026-04-10T03:34:16.004527Z", "deleted_at": null, "sha1_hash": "fb43b76181d62bfbef24e8304eb674a9be4a5e6e", "title": "Bandidos at large: A spying campaign in Latin America", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1013801, "plain_text": "Bandidos at large: A spying campaign in Latin America\r\nBy Fernando TavellaMatías Porolli\r\nArchived: 2026-04-02 10:55:51 UTC\r\nIn 2021 we detected an ongoing campaign targeting corporate networks in Spanish-speaking countries, with 90% of\r\nthe detections in Venezuela. When comparing the malware used in this campaign with what was previously\r\ndocumented, we found new functionality and changes to this malware, known as Bandook. We also found that this\r\ncampaign targeting Venezuela, despite being active since at least 2015, has somehow remained undocumented. Given\r\nthe malware used and the targeted locale, we chose to name this campaign Bandidos.\r\nBandook is an old remote access trojan: there are references to it being available online as early as 2005, though its\r\nuse by organized groups was not documented until 2016. The report published that year by EFF, Operation Manul,\r\ndescribes the use of Bandook to target journalists and dissidents in Europe. Then in 2018, Lookout published its\r\nresearch uncovering other espionage campaigns that had different targets but used the same infrastructumre. They\r\ngave the name Dark Caracal to the group responsible for the attacks. Finally, Check Point’s report in 2020 showed\r\nthat the attackers started to use signed executables to target many verticals in various countries.\r\nPrevious reports have mentioned that the developers of Bandook might be developers for hire (also known as\r\n“malware as a service”), which makes sense given the various campaigns with different targets seen through the\r\nyears. We must note, however, that in 2021 we have seen only one active campaign: the one targeting Spanish-speaking countries that we document here.\r\nAlthough we have seen more than 200 detections for the malware droppers in Venezuela in 2021, we have not\r\nidentified a specific vertical targeted by this malicious campaign. According to our telemetry data, the main interests\r\nof the attackers are corporate networks in Venezuela; some in manufacturing companies, others in construction,\r\nhealthcare, software services, and even retail. Given the capabilities of the malware and the kind of information that\r\nis exfiltrated, it seems like the main purpose of these Bandidos is to spy on their victims. Their targets and their\r\nmethod of approaching them is more similar to cybercrime operations than to APT activities such as Operation\r\nManul.\r\nAttack overview\r\nMalicious emails with a PDF attachment are sent to targets. The PDF file contains a link to download a compressed\r\narchive and the password to extract it. Inside the archive there is an executable file: a dropper that injects Bandook\r\ninto an Internet Explorer process. Figure 1 provides an overview of this attack chain.\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 1 of 22\n\nFigure 1. Overview of a typical attack\r\nEmails that contain these attachments are usually short; one example is shown in Figure 2. The phone number at the\r\nbottom of the message is a mobile number in Venezuela, though it is unlikely to be related to the attackers.\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 2 of 22\n\nFigure 2. Example of a malicious email\r\nThe attackers use URL shorteners such as Rebrandly or Bitly in their PDF attachments. The shortened URLs redirect\r\nto cloud storage services such as Google Cloud Storage, SpiderOak, or pCloud, from where the malware is\r\ndownloaded.\r\nFigure 3 and Figure 4 are examples of PDFs used in this campaign. The images used in the PDFs are stock images\r\navailable online.\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 3 of 22\n\nFigure 3. Example of a malicious PDF file\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 4 of 22\n\nFigure 4. Another PDF file used for social engineering\r\nThe content of the PDF files is generic and has been used with various filenames that change between targets. The\r\npassword for the downloaded archive is 123456.\r\nFor a list of URLs used to download the malware please refer to the section Indicators of Compromise (IoCs).\r\nDropper\r\nBandook is hybrid Delphi/C++ malware. The dropper is coded in Delphi and is easily recognizable because it stores\r\nthe payload encrypted and base64 encoded in the resource section of the file. The main purpose of the dropper is to\r\ndecode, decrypt and run the payload and to make sure that the malware persists in a compromised system. The\r\nencryption algorithm was CAST-256 in samples from previous years of this campaign, but changed to GOST in\r\n2021.\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 5 of 22\n\nWhen the dropper is executed, it creates four instances of iexplore.exe, where the payload will be injected via process\r\nhollowing. Then four entries are created in the Windows registry in\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion. The names of the registry keys are based on the process ID\r\n(PID) of each of these newly created processes and the values are base64 encoded and contain the path to the\r\ndropper, a number to identify different actions, which will be explained later, and another value that isn’t used in the\r\nsamples that we analyzed. The created keys are shown in Figure 5, along with an example of a decoded value.\r\nFigure 5. Registry keys created by the dropper with an example of a stored value (decoded)\r\nSamples from other campaigns follow the same logic, but they use other encryption algorithms.\r\nPayload\r\nWhen the payload is injected inside the iexplore.exe processes, it will start loading global variables used for various\r\npurposes:\r\nNames for mutexes\r\nNames for Windows registry keys\r\nURLs used for:\r\nC\u0026C communication\r\nDownloading malicious DLLs\r\nParameters to some DLL functions\r\nFilenames, for example for persistence\r\nVariables used as parameters for some DLL functions\r\nPaths for downloaded files\r\nPayload execution date\r\nOnce the payload has finished loading the global variables, it will continue its execution obtaining its injected\r\nprocess’s PID. This PID is used to obtain the base64-encoded data created by the dropper, mentioned above. Once the\r\ndata is retrieved, the payload will decode it and get the action identifier (see Figure 5) value from it. This value\r\nindicates the action it must perform.\r\nDepending on the obtained value, the payload is capable of performing four different actions.\r\nIf the value is 0:\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 6 of 22\n\nCreates a Windows registry key with the name mep\r\nTries to download two DLLs from a URL in the global variables\r\nTries to load these DLLs into memory\r\nCreates different threads to invoke some of these DLLs’ functions\r\nStarts active communication with the C\u0026C server\r\nIf the value is 1:\r\nEstablishes persistence on the victim’s machine; this will be explained in the Registry and persistence section.\r\nIf the value is 2:\r\nCreates a Windows registry key with the name api\r\nSearches for one of the downloaded DLLs, named dec.dll; if it exists, loads it into memory and calls the\r\nexport method Init, which creates five folders used for different purposes – for example, save encrypted logs\r\non the Bandook persisted folder mentioned in the Registry and persistence section.\r\nIf the value is 3:\r\nCreates a registry key with the name pim\r\nChecks whether persistence succeeded; if not, will establish persistence in the folder mentioned in the\r\nRegistry and persistence section.\r\nFigure 6 depicts a decompilation of this payload-handling code.\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 7 of 22\n\nFigure 6. Payload logic to execute different actions regarding the value obtained from the registry\r\nTwo DLLs can be downloaded from the first action mentioned above or during communication with the C\u0026C server,\r\nand they are named dec.dll and dep.dll (the internal name for the first one is capmodule.dll).\r\ndec.dll has a set of functions that enable spying on the victim’s machine. Some of these functions are capable of\r\ndropping a malicious Google Chrome extension, and of stealing information from a USB Drive. Meanwhile, dep.dll,\r\nwhich we weren’t able to obtain, has a set of functions that seem to be related to handling files in various formats:\r\nMP1\r\nMP3\r\nMP4\r\nMP5\r\nMP6\r\nFigure 7 shows part of the decompiled code that loads dec.dll into memory. Figure 8 shows the code related to\r\ndep.dll.\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 8 of 22\n\nFigure 7. Dynamic load of dec.dll into memory\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 9 of 22\n\nFigure 8. Dynamic load of dep.dll into memory\r\nRegistry and persistence\r\nThe payload achieves persistence on the victim’s machine by copying the dropper into a new folder, created by the\r\npayload at a path of the form:\r\n%APPDATA%\\\u003cRANDOM_STRING\u003e\\\u003cRANDOM_STRING\u003e.exe\r\nBoth the persisted dropper and the folder use the same name, which is a random string generated by the payload. The\r\nscreenshot in Figure 9 shows the registry value created by the payload to maintain persistence.\r\nFigure 9. Malware persistence in the registry\r\nWe have also detected other values created by the payload in the Windows registry keys related with its behavior,\r\nlike: the name used for persistence, a random number used as an ID to identify the victim’s machine, possible\r\nfilenames (these files can be downloaded by the payload or created by itself), and infection date, among other things.\r\nTable 1 contains the registry entries created by the payload during our analysis, with a brief description of them.\r\nTable 1. Registry entries created by one of the analyzed Bandook samples\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 10 of 22\n\nRegistry path Key Value Description\r\nHKCU\\Software\\\r\nder333f Ixaakiiumcicbcpspmof\r\nRandom string\r\nused for\r\npersistence\r\nFDFfda 5/5/2021 Compromise date\r\nNVhfhfjs \u003cRANDOM_NUMBER\u003e\r\nUsed to identify\r\nthe victim’s\r\nmachine\r\nHKCU\\Software\\VBffhdfhf AMMY132 \u003cRANDOM_NUMBER\u003e.exe\r\nRelated to the\r\nexport method\r\nExecuteAMMMY\r\nfrom dec.dll\r\ngn \u003cRANDOM_NUMBER\u003e.exe\r\nRelated to a new file\r\ndownloaded during the\r\ndownload of the DLLs,\r\nbefore the connection to the\r\nC\u0026C server\r\nidate 05.05.2021 Compromise date\r\nmep 2608\r\nProcess ID from the payload\r\nused for the communication\r\nwith the C\u0026C server\r\nrno1 \u003cRANDOM_NUMBER\u003e.exe\r\nCan be used to rename a\r\ndownloaded file through the\r\nC\u0026C communication\r\ntvn \u003cRANDOM_NUMBER\u003e.dce\r\nRelated with the export\r\nmethod ExecuteTVNew from\r\ndec.dll\r\napi 2716\r\nProcessID from one of the\r\npayloads used to install the\r\nexternal DLLs\r\npim 2732\r\nProcessID from one of the\r\npayloads that checks the\r\nmalware persistence\r\nDRT3 1\r\nRelated with the export name\r\nChromeInject from dec.dll\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 11 of 22\n\nOther registry locations that can be used to achieve persistence on the victim’s machine are:\r\nHKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\r\nHKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\nNetwork communication\r\nThe communication begins by obtaining the IP address from a domain (d2.ngobmc[.]com) located in the global\r\nvariables and then establishing a TCP connection to that address with a four-digit port number that changes according\r\nto the campaign. Once the payload establishes this connection, it sends basic information from the victim’s machine,\r\nlike computer name, username, OS version, infection date, and malware version.\r\nAfter that, the payload will maintain active communication with the C\u0026C server, waiting for commands to execute.\r\nIn many cases the information sent to the C\u0026C server is going to be encrypted using the algorithm AES in CFB mode\r\nwith the key HuZ82K83ad392jVBhr2Au383Pud82AuF, but in other cases the information is sent as cleartext.\r\nThe following is an example of the basic information to be exfiltrated to the C\u0026C server, before it is encrypted:\r\n!O12HYV~!2870~!0.0.0.0~!Computer~!Administrator~!Ten~!0d 14h 2m~!0~!5.2~!FB2021~!0~!0~!0~!0~!~!0~!0--\r\n~!None~!0~!5/5/2021~!\r\nOf particular interest are the fields:\r\n!O12HYV: Hardcoded value\r\n2870: Victim’s ID generated by the malware\r\n0.0.0.0: Victim’s IP address (fake value for privacy reasons)\r\nComputer: Computer name\r\nAdministrator: Username\r\nTen: OS version\r\n5.2: Malware version\r\nFB2021: Campaign ID\r\n5/5/2021: Date of compromise\r\nFigure 10 and Figure 11 are Wireshark screenshots displaying two different examples of encrypted and cleartext\r\ntransmission of information sent to the C\u0026C server.\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 12 of 22\n\nFigure 10. Traffic capture with encrypted information sent to the C\u0026C server\r\nFigure 11. Traffic capture with cleartext information sent to the C\u0026C server\r\nRegarding the commands that the payload is capable of processing, we found that this sample has 132 commands,\r\nalthough some of these have very similar behaviors. These commands use the following pattern: @\u003cID\u003e – for\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 13 of 22\n\nexample, @0001 – except for the *DJDSR^ command. Depending on the received command, the payload is capable\r\nof performing the following actions:\r\nObtain information from the victim’s drive units:\r\nHDD\r\nCD-ROM\r\nUSB\r\nLists the content of a specific directory:\r\nFolders\r\nFiles\r\nFile manipulation:\r\nRead\r\nMove\r\nDelete\r\nRename\r\nTake screenshots\r\nControl the cursor on the victim’s machine:\r\nMove it to a specific position\r\nPerform left or right clicks\r\nInstall or uninstall the malicious DLLs (dec.dll or dep.dll)\r\nClose some connections previously opened by the payload\r\nKill running processes or threads\r\nPop up a message using MessageBoxA\r\nSend files to the C\u0026C server\r\nInvoke DLL functions (dec.dll or dep.dll)\r\nWindows registry manipulation:\r\nCheck the existence of a registry key or value\r\nCreate a registry key or value\r\nDelete a registry key or value\r\nUninstall the malware\r\nDownload a file from a URL\r\nExecute downloaded files using the function ShellExecuteW\r\nObtain the victim’s public IP address\r\nSkype program manipulation:\r\nStop the process\r\nCheck the existence of the main.db file\r\nStops the Teamviewer process and invokes a function from the dec.dll named ExecuteTVNew\r\nCheck for Java being installed on the victim’s machine\r\nExecute files with extension .pyc or .jar using Python or Java.\r\nHere is a list of what dec.dll is capable of doing on the victim’s machine:\r\nChrome browser manipulation\r\nFile manipulation:\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 14 of 22\n\nCompress a file\r\nSplit a file\r\nSearch for a file\r\nUpload a file\r\nSend files to the C\u0026C server\r\nUSB manipulation\r\nGet Wi-Fi connections\r\nStart a shell\r\nDDoS\r\nSign out from Skype\r\nManipulate the victim’s screen\r\nManipulate the victim’s webcam\r\nRecord sound\r\nExecute malicious programs\r\nDLL analysis – ChromeInject functionality\r\nWhen the communication with the C\u0026C server is established, as we mentioned above, the payload downloads\r\ndec.dll. We conducted an analysis of one of the most interesting exported methods, named ChromeInject.\r\nThis method creates a malicious Chrome extension, by:\r\nTerminating the chrome.exe process if it is running\r\nCreating a folder under %APPDATA%\\OPR\\\r\nCreating two files:\r\n%APPDATA%\\OPR\\Main.js\r\n%APPDATA%\\OPR\\Manifest.json\r\nEnabling developer mode of Google Chrome by manipulating the preference file located at:\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\r\nObtaining the Google Chrome executable path by accessing the registry, in this case it accesses:\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\chrome.exe\r\nLaunching Google Chrome\r\nInvoking Windows APIs such as GetForegroundWindow, SetClipboardData, and keybd_event, to load a\r\nmalicious Chrome extension by simulating a user installation, it:\r\nLoads chrome://extensions into the clipboard and pastes it by sending Ctrl+V keystrokes\r\nSends Tab keystrokes to select the Load unpacked option\r\nLoads the path to the OPR folder into the clipboard and pastes it by sending Ctrl+V keystrokes\r\nThis malicious extension tries to retrieve any credentials that the victim submits to a URL by reading the values\r\ninside the form tag before they are sent. These credentials are stored in Chrome’s local storage with the key batata13\r\nand their corresponding URL, where the credentials are sent, with the key batata14. This information is exfiltrated to\r\na different URL located in the global variables of the payload. In our sample this URL was:\r\nhttps://pronews[.]icu/gtwwfggg/get.php?action=gc1\r\nFigure 12 shows the installed malicious Chrome extension.\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 15 of 22\n\nFigure 12. Malicious extension created by the malware\r\nFigure 13 and Figure 14 are screenshots respectively displaying the Manifest.json and the Main.js (deobfuscated)\r\nsource code.\r\nFigure 13. Manifest file of the malicious extension\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 16 of 22\n\nFigure 14. Main.js file with malicious code deobfuscated\r\nOverlaps and differences with other campaigns\r\nWe compared the behavior of our analyzed sample against other posts and documented campaigns like Operation\r\nManul and Dark Caracal and there are some similarities, like:\r\nThe payloads use the same encryption algorithm for communication with the C\u0026C server, AES in CFB mode.\r\nThe encrypted information sent to the C\u0026C server uses the string suffix \u0026\u0026\u0026 at the end of it.\r\nThe payloads use the ~! suffix string as a delimiter for the information sent or received.\r\nTwo samples included in the Operation Manul report (SHA-1:\r\nADB7FC1CC9DD76725C1A81C5F17D03DE64F73296 and\r\n916DF5B73B75F03E86C78FC3D19EF5D2DC1B7B92) seem to be connected to the Bandidos campaign,\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 17 of 22\n\naccording to our telemetry data. The campaign ID for these samples (January 2015 v3 and JUNE 2015\r\nTEAM) show how far back in time the campaigns go.\r\nAll the samples included in Check Point’s report as “Full Version” in fact target Venezuela and are part of the\r\nBandidos campaign.\r\nThe dropper uses the process hollowing technique to inject the payloads.\r\nWe also found some differences, showing changes to the malware over the years, like:\r\nThe dropper, for this campaign, changed its encryption algorithm from CAST-256 to GOST.\r\nIt seems that the malware now has only two DLLs for all its extra functionality instead of the five DLLs\r\nmentioned in the Operation Manul report.\r\nTwo new export methods have been added to the dec.dll, named GenerateOfflineDB and RECSCREEN.\r\nThis latest sample contains 132 commands, instead of the 120 commands mentioned in Check Point’s report.\r\nUnlike the smaller executables described in Check Point’s report, which are signed and seem to be part of a\r\ndifferent campaign, these samples are unsigned executables.\r\nThere is a command with the string AVE_MARIA, which has been used in many RATs (for example, Warzone\r\nRAT).\r\nConclusion\r\nBandook is a RAT active since 2005. Its involvement in different espionage campaigns, already documented, shows\r\nus that it is still a relevant tool for cybercriminals. Also, if we consider the modifications made to the malware over\r\nthe years, it shows us the interest of cybercriminals to keep using this piece of malware in malicious campaigns,\r\nmaking it more sophisticated and more difficult to detect.\r\nAlthough there are few documented campaigns in Latin America, such as Machete or Operation Spalax, Venezuela is\r\na country that, due to its geopolitical situation, is a likely target for cyberespionage.\r\nA full and comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub\r\nrepository.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nIndicators of Compromise (IoCs)\r\nC\u0026C servers\r\nd1.ngobmc[.]com:7891 - 194.5.250[.]103\r\nd2.ngobmc[.]com:7892 - 194.5.250[.]103\r\nr2.panjo[.]club:7892 - 45.142.214[.]31\r\npronews[.]icu - 194.36.190[.]73\r\nladvsa[.]club - 45.142.213[.]108\r\nSamples\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 18 of 22\n\nSHA-1 ESET detection name Description\r\n4B8364271848A9B677F2B4C3AF4FE042991D93DF PDF/TrojanDownloader.Agent.AMF\r\nMalicious\r\nemail\r\nF384BDD63D3541C45FAD9D82EF7F36F6C380D4DD PDF/TrojanDownloader.Agent.AMF\r\nMalicious\r\nPDF\r\nA06665748DF3D4DEF63A4DCBD50917C087F57A27 PDF/Phishing.F.Gen\r\nMalicious\r\nPDF\r\n89F1E932CC37E4515433696E3963BB3163CC4927 Win32/Bandok.NAT Dropper\r\n124ABF42098E644D172D9EA69B05AF8EC45D6E49 Win32/Bandok.NAT Dropper\r\nAF1F08A0D2E0D40E99FCABA6C1C090B093AC0756 Win32/Bandok.NAT Dropper\r\n0CB9641A9BF076DBD3BA38369C1C16FCDB104FC2 Win32/Bandok.NAT Payload\r\nD32E7178127CE9B217E1335D23FAC3963EA73626 Win32/Bandok.NAT Payload\r\n5F58FCED5B53D427B29C1796638808D5D0AE39BE Win32/Bandok.NAT Payload\r\n1F94A8C5F63C0CA3FCCC1235C5ECBD8504343437 -\r\ndec.dll\r\n(encrypted)\r\n8D2B48D37B2B56C5045BCEE20904BCE991F99272 JS/Kryptik.ALB Main.js\r\nDownload URLs\r\nhttps://rebrand[.]ly/lista-de-precios-2021\r\nhttps://rebrand[.]ly/lista-de-precios-01\r\nhttps://rebrand[.]ly/Lista-de-Precios\r\nhttps://rebrand[.]ly/lista-de-precios-actualizada\r\nhttps://rebrand[.]ly/Lista-de-precio-1-actualizada\r\nhttps://rebrand[.]ly/Lista-de-precios-2-actualizada\r\nhttps://rebrand[.]ly/Precios-Actualizados\r\nhttps://rebrand[.]ly/recibo-de-pago-mes-03\r\nhttps://rebrand[.]ly/Factura-001561493\r\nhttps://rebrand[.]ly/Comunicado_Enero\r\nhttps://rebrand[.]ly/Comunicado-23943983\r\nhttps://rebrand[.]ly/Cotizacion-de-productos\r\nhttps://rebrand[.]ly/informacion_bonos_productividad\r\nhttps://rebrand[.]ly/aviso-de-cobro\r\nhttps://bit[.]ly/lista-de-precios2\r\nhttp://bit[.]ly/2yftKk3\r\nhttps://bitly[.]com/v-coti_cion03\r\nhttps://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMMZXG4ZTM/shared/1759328-1-\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 19 of 22\n\n1050/Cotizacion nuevas.rar?ad16ce86ca4bb1ff6ff0a7172faf2e05\r\nhttps://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMMRSHA4DA/shared/1744230-1-\r\n1028/Lista%20de%20Precios.rar?cd05638af8e76da97e66f1bb77d353eb\r\nhttps://filedn[.]com/lpBkXnHaBUPzXwEpUriDSr4/Lista_de_precios.rar\r\nhttps://filedn[.]com/l9nI3nYhBEH5QqSeMUzzhMb/Facturas/Lista_de_Precios.rar\r\nOlder C\u0026C servers\r\nd1.p2020[.]club:5670\r\nd2.p2020[.]club:5671\r\ns1.fikofiko[.]top:5672\r\ns2.fikofiko[.]top:5673\r\ns3.fikofiko[.]top:5674\r\ns1.megawoc[.]com:7891\r\ns2.megawoc[.]com:7892\r\ns3.megawoc[.]com:7893\r\nhellofromtheotherside[.]club:6792\r\nmedialog[.]top:3806\r\nnahlabahla.hopto[.]org:9005\r\ndianaojeil.hopto[.]org:8021\r\nnathashadarin.hopto[.]org:8022\r\nlaraasaker.hopto[.]org:5553\r\nmayataboush.hopto[.]org:5552\r\njhonny1.hopto[.]org:7401\r\nj2.premiumdns[.]top:7402\r\nj3.newoneok[.]top:9903\r\np2020[.]xyz\r\nvdsm[.]xyz\r\nwww.blueberry2017[.]com\r\nwww.watermelon2017[.]com\r\nwww.orange2017[.]com\r\ndbclave[.]info\r\npanel.newoneok[.]top\r\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 9 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial Access T1566.001\r\nPhishing: Spearphishing\r\nattachment\r\nBandook operators have used\r\nemails with PDF files attached\r\nthat contain links to download\r\nmalware.\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 20 of 22\n\nTactic ID Name Description\r\nExecution\r\nT1204.001\r\nUser Execution:\r\nMalicious Link\r\nBandook operators have used\r\nmalicious links to download\r\nmalware.\r\nT1204.002\r\nUser Execution:\r\nMalicious File\r\nBandook operators have\r\nattempted to get victims to\r\nexecute malicious files.\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated Files or\r\ninformation\r\nBandook operators encrypt the\r\npayload hidden in the dropper.\r\nT1055.012\r\nProcess Injection:\r\nProcess Hollowing\r\nBandook operators use process\r\nhollowing to inject the payload\r\ninto legitimate processes.\r\nT1112 Modify Registry\r\nBandook operators have\r\nattempted to modify registry\r\nentries to hide information.\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nkeys / Startup Folder\r\nBandook operators have\r\nattempted to create a Run registry\r\nkey.\r\nDiscovery\r\nT1057 Process Discovery\r\nBandook uses Windows API\r\nfunctions to discover running\r\nprocesses on victim’s machines.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nBandook operators try to\r\ndiscover files or folders from a\r\nspecific path.\r\nCollection\r\nT1025\r\nData from Removable\r\nMedia\r\nBandook operators try to read\r\ndata from removable media.\r\nT0156.001\r\nInput Capture:\r\nKeylogging\r\nBandook operators may try to\r\ncapture user keystrokes to obtain\r\ncredentials.\r\nT1113 Screen Capture\r\nBandook can take screenshots\r\nfrom the victim’s machine.\r\nT1123 Audio Capture\r\nBandook can record audio from\r\nthe victim’s machine.\r\nT1125 Video Capture\r\nBandook can record video from\r\nthe webcam.\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 21 of 22\n\nTactic ID Name Description\r\nCommand\r\nAnd Control\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nBandook uses AES for\r\nencrypting C\u0026C\r\ncommunications.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nchannel\r\nBandook exfiltrates information\r\nover the same channel used for\r\nC\u0026C.\r\nT1048.002\r\nExfiltration Over Alternative\r\nProtocol: Exfiltration Over\r\nAsymmetric Encrypted Non-C2 Protocol\r\nBandook exfiltrates\r\ninformation using a\r\nmalicious URL via\r\nHTTPS.\r\nSource: https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/" ], "report_names": [ "bandidos-at-large-spying-campaign-latin-america" ], "threat_actors": [ { "id": "d303c77e-0110-471b-a3a6-37fce9ac848d", "created_at": "2022-10-25T15:50:23.342452Z", "updated_at": "2026-04-10T02:00:05.373848Z", "deleted_at": null, "main_name": "Machete", "aliases": [ "APT-C-43", "El Machete" ], "source_name": "MITRE:Machete", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "64d750e4-67db-4461-bae2-6e75bfced852", "created_at": "2022-10-25T16:07:24.01415Z", "updated_at": "2026-04-10T02:00:04.839502Z", "deleted_at": null, "main_name": "Operation Spalax", "aliases": [], "source_name": "ETDA:Operation Spalax", "tools": [ "AsyncRAT", "Bladabindi", "Jorik", "Remcos", "RemcosRAT", "Remvio", "Socmer", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "d4347dfe-2489-4fe4-8097-f4be33aadac2", "created_at": "2022-10-25T16:07:23.973289Z", "updated_at": "2026-04-10T02:00:04.815324Z", "deleted_at": null, "main_name": "Operation Manul", "aliases": [], "source_name": "ETDA:Operation Manul", "tools": [ "Bandok", "Bandook", "JRat", "Jacksbot" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "8de10e16-817c-4907-bd98-b64cf4a3e77b", "created_at": "2022-10-25T15:50:23.552766Z", "updated_at": "2026-04-10T02:00:05.362919Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "Dark Caracal" ], "source_name": "MITRE:Dark Caracal", "tools": [ "FinFisher", "CrossRAT", "Bandook" ], "source_id": "MITRE", "reports": null }, { "id": "4a62c0be-1583-4d82-8f91-46e3a1c114e6", "created_at": "2023-01-06T13:46:38.73639Z", "updated_at": "2026-04-10T02:00:03.083265Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "G0070" ], "source_name": "MISPGALAXY:Dark Caracal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af704c54-a580-4c29-95f2-82db06fbb6f9", "created_at": "2022-10-25T16:07:23.525064Z", "updated_at": "2026-04-10T02:00:04.64019Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "ATK 27", "G0070", "Operation Dark Caracal", "TAG-CT3" ], "source_name": "ETDA:Dark Caracal", "tools": [ "Bandok", "Bandook", "CrossRAT", "FinFisher", "FinFisher RAT", "FinSpy", "Pallas", "Trupto" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434233, "ts_updated_at": 1775792056, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb43b76181d62bfbef24e8304eb674a9be4a5e6e.pdf", "text": "https://archive.orkl.eu/fb43b76181d62bfbef24e8304eb674a9be4a5e6e.txt", "img": "https://archive.orkl.eu/fb43b76181d62bfbef24e8304eb674a9be4a5e6e.jpg" } }