Threats Affecting Mexico

A malware campaign is targeting WhatsApp users globally by sending deceptive VBScript files disguised as business and financial documents from compromised contacts. When executed on Windows, the VBScript disables User Account Control (UAC) protections and silently installs ManageEngine Endpoint Central software configured to connect to attacker-controlled servers, granting remote access to the victim's PC. The campaign affects multiple countries and uses localized filenames to increase effectiveness. The exact method of WhatsApp account compromise is unknown. Users are advised to verify files received via WhatsApp and scan them before execution.

MediumMalwareBrazilIndiaMexico+8#remote

Since June 2026, an active malware campaign distributes malicious VBScript files via WhatsApp direct messages. The campaign targets users globally, with Malaysia having the highest victim concentration. Attackers compromise WhatsApp accounts to send weaponized VBS scripts disguised as business and financial documents. The infection chain deploys legitimate ManageEngine Endpoint Central RMM software to maintain persistent remote access. The scripts use heavy obfuscation, Chinese-language comments, and modify Windows UAC settings. Infrastructure overlaps with ValleyRAT and Gh0st RAT suggest possible Chinese-speaking operators. The campaign primarily uses opportunistic social engineering with localized filenames in multiple languages.

MediumMalwareAustraliaBrazilBritish Indian Ocean Territory+7#uac bypass#valleyrat#gh0st rat

An exposed attacker server has unveiled FortiBleed, a large-scale credential-compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways globally. This operation involved credential harvesting through reuse, brute force, and hash cracking using a distributed GPU infrastructure with approximately 36 rented GPUs via Hashtopolis. The exposed directory contained 319 files revealing scanning tools, cracking infrastructure, credential databases, post-exploitation toolkits, and active VPN configurations. While initially reported as affecting 21,632 domains, analysis of the attacker's own tooling reveals only 918 organizations showed evidence of internal network compromise, with merely 148 confirmed cases where credentials were fully cracked. The operation ultimately aimed to sell initial access to compromised networks, with victims spanning 194 countries, predominantly India, United States, and Taiwan.

MediumCampaignUnited StatesBritish Indian Ocean TerritoryColombia+3#vpn compromise#hash cracking#fortibleed

A sophisticated, modular phishing infrastructure has been identified targeting at least 12 Mexican financial institutions over a three-year period. The operation leverages GitHub Pages for hosting and SheetBest API for credential exfiltration, eliminating the need for dedicated backend infrastructure. Attackers employ obfuscated JavaScript, randomized paths, and dynamic brand selection panels to impersonate legitimate banking portals. Over 100 associated domains were identified, each hosting multiple phishing pages across different paths. Credentials are collected through multi-stage forms mimicking authentic banking authentication flows and exfiltrated in real-time to attacker-controlled Google Sheets. An alternative exfiltration method via Telegram bot was also observed. The campaign demonstrates operational persistence with multiple operator accounts maintaining the infrastructure through continuous commits and updates.

MediumPhishingMexico#credential harvesting#sheetbest api#financial fraud

A sophisticated smishing and phishing operation active since the second half of 2025 has impersonated over 267 brands across 72 countries, with particular concentration in Latin America. The campaign generated 4,389 phishing domain instances, with Mexico accounting for 1,851 cases. Telecommunications is the most targeted sector with 1,754 instances, followed by financial services and consumer rewards programs. The operation employs fake Cloudflare error pages as decoys, revealing malicious content only to victims matching specific geofencing and mobile device criteria. Data exfiltration occurs through encrypted WebSocket channels using binary encoded payloads. Approximately 30% of infrastructure is hosted on Tencent Cloud and Alibaba US servers, fronted by Cloudflare to mask hosting IPs. The attack chain progresses from SMS lures through progressive credential harvesting, ultimately capturing complete credit card details including CVV codes.

MediumCampaignAustraliaChileColombia+3#brand impersonation#credit card theft#smishing

Kaspersky experts have investigated the security of public Wi-Fi access points in Mexico City, Guadalajara, and Monterrey.

MediumVulnerabilityMexico

Researchers uncovered a massive fraud ecosystem targeting the 2026 FIFA World Cup, identifying over 4,300 fraudulent domains impersonating FIFA's official website since August 2025. At the center operates GHOST STADIUM, a Chinese-speaking threat actor running a sophisticated phishing campaign across 300+ domains using a pixel-perfect clone of FIFA's authentication system. The operation harvests credentials, sells fake tickets, and processes payments through five distinct channels including cryptocurrency. Estimated losses from premium ticket fraud alone range from $71 million to $474 million, with total campaign losses potentially reaching billions. Six distinct fraud schemes operate in parallel: credential phishing, fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Over 2,513 FIFA account credentials are already circulating on dark-web markets. The campaign exploits Facebook advertising as its primary distribution chann...

MediumMalwareUnited StatesArgentinaBrazil+3#ticket fraud#cryptocurrency fraud#ghost stadium