The attack leverages a multi-stage infection chain that begins with fraudulent government notifications claiming recipients face substantial tax penalties, creating urgency that compels victims to interact with malicious links embedded in these communications. The campaign employs an intricate infrastructure that utilizes virtual private servers (VPS) hosted on Contabo’s network, demonstrating threat actors’ growing preference for legitimate hosting services to evade detection. The Grandoreiro trojan’s multi-layered obfuscation techniques and use of legitimate infrastructure highlight how modern threat actors continue to evolve their tactics to bypass security controls. Forcepoint researchers identified that these attackers frequently change subdomains under contaboserver.net for each campaign, making it difficult for security solutions to keep pace with blocking efforts. The page contains a “Download PDF” button that, when clicked, initiates a chain of redirects ultimately leading to the download of a password-protected ZIP file from Mediafire, a legitimate file-sharing service. A sophisticated malware campaign distributing the Grandoreiro banking trojan has been targeting users in Mexico, Argentina, and Spain through elaborate phishing emails impersonating tax agencies. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The executable, claiming to be from “ByteCore Technologies 706092 Inc.” according to its version information, connects to command-and-control servers using unusual port configurations (such as 42195). Organizations must implement multi-layered defenses that can detect such threats across the attack chain, from initial phishing attempts through to payload execution and command-and-control communications. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. A sophisticated cybercriminal operation has emerged targeting toll payment services across multiple regions, with evidence suggesting this campaign will continue expanding globally. This technique of using multiple legitimate services in the attack chain significantly complicates detection efforts. The researchers noted the attackers’ sophisticated use of geofencing techniques to target specific regions while avoiding security researcher environments. The infection process begins when victims extract the password-protected ZIP file (password: 2025) containing a heavily obfuscated Visual Basic Script. The malware specifically targets financial information, scanning for Bitcoin wallet directories and collecting system information through registry queries like “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NIs\Sorting\Versions” to determine language settings and machine identifiers. This approach provides attackers with a veneer of legitimacy while enabling them to rapidly shift infrastructure as domains are flagged by security solutions. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. When victims click on links in these phishing emails, they are redirected to these geofenced Contabo-hosted URLs that display a fake tax document portal. This social engineering tactic convinces users they’re dealing with a legitimate document issue while the malware silently establishes persistence. This VBS file contains significant amounts of intentional noise, with periods and other unwanted characters used to obscure its true functionality.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 07 Apr 2025 15:10:08 +0000