Threat Research

The Water Saci campaign in Brazil employs a heavily layered attack chain using multiple file formats—HTA, ZIP, and PDF—to evade simple detection and complicate analysis. Recently, attackers shifted from PowerShell to a Python-based propagation routine, enabling broader browser compatibility, improved error handling, and faster automated malware delivery through WhatsApp Web....

RelayNFC is a newly identified and increasingly sophisticated Android malware targeting users in Brazil through phishing campaigns. Designed specifically for NFC relay attacks, it captures victims’ contactless payment card data and relays it in real time to attacker-controlled servers, enabling fraudulent transactions as if the physical card were present....

Researchers are examining an ongoing, multi-stage malware campaign targeting WhatsApp users in Brazil. First detected on September 24, 2025, the operation—identified as STAC3150—uses archive attachments that contain a downloader script responsible for fetching several second-stage components....

Cybercriminals are targeting trucking and freight companies through complex attack chains to steal cargo shipments. Cargo theft has become a multi-million-dollar industry, with digital transformation fueling a surge in cyber-enabled theft. Attackers infiltrate logistics firms and exploit their access to bid on shipments, which they then steal and resell....

SORVEPOTEL has been found spreading across Windows systems, accompanied by a message prompting users to open it on a desktop—indicating that the attackers are likely targeting enterprise environments....

UAT-8099 is a Chinese-speaking cybercrime group targeting high-value IIS servers in countries like India, Thailand, Vietnam, Canada, and Brazil to conduct SEO fraud and steal credentials, config files, and certificates. They use web shells, Cobalt Strike, and BadIIS malware to manipulate search rankings and maintain persistence....

Gunra ransomware’s Linux variant significantly expands the group’s attack surface, reflecting its intention to move beyond its initial targets. This variant includes key features such as the ability to execute up to 100 encryption threads simultaneously and perform partial encryption....

The Coyote Banking Trojan is a malware targeting users in Brazil, delivered through LNK files containing PowerShell commands. These files are part of multi-stage attacks aimed at stealing sensitive information from over 70 financial apps and websites....