The Lampion banking trojan campaign is a long-running and evolving malware operation attributed to a Brazilian threat actor group. Since at least 2019, the group has shifted tactics from using malicious links to deploying email attachments containing obfuscated Visual Basic scripts. These scripts execute in multiple stages to evade detection and ultimately install the Lampion Stealer, a banking trojan designed to harvest financial credentials and sensitive information. The campaign uses ClickFix-themed lures, a known social engineering tactic, to entice victims to open malicious attachments. The attackers employ sophisticated evasion techniques including IP blacklisting to avoid security researchers and analysts, and the use of large file sizes to complicate automated analysis. The malicious infrastructure is distributed across multiple cloud service providers, allowing for rapid changes in some components while maintaining stable core elements, which supports the campaign's persistence and stealth. The domains used in the campaign are crafted to impersonate Portuguese tax and finance authorities, such as 'autoridade-tributaria-pt.com' and 'portal-das-financas-pt.org', indicating a strategic targeting of Portuguese-speaking users in Europe. The campaign does not currently have known exploits in the wild beyond the spam and attachment infection vector, but its multi-stage infection chain and obfuscation make it a challenging threat to detect and remediate. The campaign's tactics align with MITRE ATT&CK techniques such as T1566 (Phishing), T1059.005 (Visual Basic), T1078 (Valid Accounts), and T1547.001 (Registry Run Keys/Startup Folder), among others, highlighting its complexity and sophistication.

For European organizations, particularly those in Portugal, the Lampion campaign poses a significant threat to the confidentiality and integrity of financial and personal data. Successful infections can lead to credential theft, unauthorized access to banking accounts, and potential financial fraud. The use of domains mimicking official tax authorities increases the likelihood of user deception and infection. The campaign's persistence and use of cloud infrastructure complicate takedown efforts and incident response. Organizations may face reputational damage, financial losses, and regulatory penalties if sensitive customer or employee data is compromised. The medium severity rating reflects the targeted nature of the attack and the potential for significant impact on affected individuals and institutions. Additionally, the campaign's evasion techniques may allow it to bypass traditional security controls, increasing the risk of undetected compromise.

To mitigate the Lampion banking trojan threat, European organizations should implement multi-layered defenses focused on email security and endpoint protection. Specifically, deploy advanced email filtering solutions capable of detecting and quarantining malicious attachments, especially those containing obfuscated scripts. Conduct targeted user awareness training emphasizing the risks of opening unexpected attachments and recognizing phishing lures themed around tax authorities or finance portals. Monitor and block access to known malicious domains identified in the campaign, such as those impersonating Portuguese tax services. Employ endpoint detection and response (EDR) tools to identify suspicious script execution and anomalous registry or startup modifications indicative of malware persistence. Regularly update and patch systems to reduce the attack surface, even though this campaign does not exploit known software vulnerabilities. Implement network segmentation and restrict outbound traffic to limit malware command and control communications. Finally, establish incident response plans that include rapid identification and containment of infections, and collaborate with local cybersecurity authorities to share threat intelligence.