Cybersecurity researchers from ESET discovered an ongoing espionage campaign targeting corporate networks in Latin American countries, specifically Venezuela, to spy on its victims.

When comparing the malware used in this campaign with what was previously documented, the researchers found new functionality and changes to the malware known as Bandook. Given the targeted area, they chose to name this campaign Bandidos.

Since it’s a hybrid Delphi/C++ malware, Bandook is known to be sold as a commercial remote access trojan (RAT) dating back to 2005. In 2015 and 2017, multiple variants were used in different surveillance campaigns by the Dark Caracal cyber-mercenary group on behalf of government interests in Kazakhstan and Lebanon.

The Bandidos campaign begins with victims receiving malicious emails with a PDF attachment, which contains a URL to download a compressed archive and the password to extract it. Extracting the archive reveals a malware dropper that decodes and injects Bandook into an Internet Explorer process.

bandidos - Overview-of-a-typical-attack

Image Source: ESET

ESET researcher Fernando Tavella revealed for The Hacker News that what is most interesting in the case of Bandidos is the ChromeInject functionality.

When the communication with the attacker’s command and control server is established, the payload downloads a DLL file, which has an exported method that creates a malicious Chrome extension. The malicious extension tries to retrieve any credentials that the victim submits to a URL. These credentials are stored in Chrome’s local storage.


bandidos -Malicious-extension-created-by-the-malware heimdal security image

Image Source: ESET

The Bandidos payload is capable of obtaining information from the victim’s drive units, listing the content of a specific directory, manipulating files, taking screenshots, controlling the cursor on the victim’s machine, installing or uninstalling malicious DLLs, sending files to the C&C server, terminating running processes, downloading files from a specific URL, exfiltrating the results of the operations to a remote server, and even uninstalling itself from the infected machines.

Bandook’s involvement in different espionage campaigns, already documented, shows us that it is still a relevant tool for cybercriminals. Also, if we consider the modifications made to the malware over the years, it shows us the interest of cybercriminals to keep using this piece of malware in malicious campaigns, making it more sophisticated and more difficult to detect.


According to the researchers, although there are few documented campaigns in Latin America, like Machete or Operation Spalax, due to its geopolitical situation, Venezuela is a likely target for cyberespionage.

Cybercriminals Compromise Mongolian Certificate Authority MonPass to Distribute Malware

BazaCall Malware Campaign: the New Path to Introducing Malware Came to Microsoft’s Attention

What is a Remote Access Trojan (RAT)?

15 Warning Signs that Your Computer is Malware-Infected

Leave a Reply

Your email address will not be published. Required fields are marked *