Threats Affecting Brazil

An ongoing malware campaign is targeting WhatsApp users in multiple countries with deceptive messages that push VBScript files, leading to remote system access. [...]

MediumMalwareBrazilIndiaMexico+8#remote

An active malware campaign has been discovered distributing malicious VBScript files through WhatsApp direct messages since June 2026. The operation affects users across multiple countries, with Malaysia experiencing the highest concentration of victims. Attackers compromise WhatsApp accounts and send weaponized VBS files disguised as business and financial documents to contacts. The multi-stage infection chain ultimately deploys legitimate ManageEngine Endpoint Central RMM software, providing persistent remote access to compromised systems. The scripts employ heavy obfuscation, Chinese-language comments, and modify Windows UAC settings. Infrastructure overlaps with ValleyRAT and Gh0st RAT operations suggest possible Chinese-speaking operators, though attribution remains uncertain. The campaign primarily targets individual users through opportunistic rather than focused methods, exploiting social engineering techniques with localized filenames in multiple languages.

MediumMalwareAustraliaBrazilBritish Indian Ocean Territory+7#uac bypass#valleyrat#gh0st rat

In March 2026, threat actors leveraged AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign employed ClickFix techniques, presenting victims with fake CAPTCHA and BSOD screens to trick them into executing malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan with capabilities including encrypted C2 communications, remote control of screen/keyboard/mouse, credential theft through keylogging and banking overlays, and QR code interception for transaction fraud. The malware establishes persistence via scheduled tasks and Windows services, and targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The threat actors' C2 panel contained critical authentication flaws allowing client-side bypass, suggesting deployment without adequate security review.

MediumMalwareBrazil#banana rat#fake captcha#smartrat

BTMOB is an Android remote access trojan that evolved from SpySolr malware and poses significant threats beyond traditional banking trojans. The malware combines phishing-led delivery with an APK builder interface that enables rapid payload generation without coding skills. Distributed through fake app stores impersonating streaming services, cryptocurrency platforms, and government agencies, BTMOB abuses Android Accessibility Services to gain elevated permissions. Marketed as malware-as-a-service with a reported $5,000 lifetime license, it provides adversaries with capabilities to exfiltrate sensitive data, capture screenshots, record device activity, and establish remote control. The tool's customizable phishing lures have been adapted for specific regions, including campaigns impersonating Argentine tax authorities, making it a rapidly evolving threat with global reach.

MediumMalwareArgentinaBrazil#android rat#latin america#phishing campaigns

An Android remote access trojan named BTMOB is offered to cybercriminals with a builder interface for generating malware payloads tailored to phishing lures. [...]

MediumMalwareBrazilArgentinaLatin America#android#remote

Researchers uncovered a massive fraud ecosystem targeting the 2026 FIFA World Cup, identifying over 4,300 fraudulent domains impersonating FIFA's official website since August 2025. At the center operates GHOST STADIUM, a Chinese-speaking threat actor running a sophisticated phishing campaign across 300+ domains using a pixel-perfect clone of FIFA's authentication system. The operation harvests credentials, sells fake tickets, and processes payments through five distinct channels including cryptocurrency. Estimated losses from premium ticket fraud alone range from $71 million to $474 million, with total campaign losses potentially reaching billions. Six distinct fraud schemes operate in parallel: credential phishing, fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Over 2,513 FIFA account credentials are already circulating on dark-web markets. The campaign exploits Facebook advertising as its primary distribution chann...

MediumMalwareUnited StatesArgentinaBrazil+3#ticket fraud#cryptocurrency fraud#ghost stadium

A Brazilian anti-DDoS technology firm was found to have enabled a botnet that launched prolonged and massive distributed denial-of-service (DDoS) attacks against other Brazilian network operators. The firm's CEO attributes the malicious activity to a security breach, suggesting it was likely orchestrated by a competitor aiming to damage the company's reputation. There is no evidence of known exploits in the wild beyond this incident, and no patch or remediation information is available. The incident highlights risks related to insider threats or compromised infrastructure within security service providers.

MediumVulnerabilityBrazil#dos