--[ Anomaly #4 - Is Android malware advancing in Latin America? ]--

–[ Anomaly #4 - Is Android malware advancing in Latin America? ]–

In recent weeks we have followed the emergence of new variants of Android malware in the region, especially in Brazil and Argentina. On the one hand, financial cybercrime campaigns focused on banking and cryptocurrencies; on the other, infrastructure associated with botnets that convert devices —including Android TV boxes— into residential proxies through malicious applications.

One of the most interesting cases, linked in Anomaly #3, is PromptSpy. Detected in Argentina and possibly linked to China, it is distributed as an investment app. In addition to typical remote control capabilities via VNC, it introduces a rare element: the use of generative AI for persistence. It captures screen status and sends it to Google’s Gemini to determine how to stay active without being terminated by the system. The technique itself is simple, but it opens a clear door: AI as an operational component in mobile malware.

Relevant variants were also observed in Brazil. The case of BeatBanker, analyzed by SecureList, shows a malware-as-a-service type ecosystem: the same initial implant can deploy different modules —bank theft, credentials, mining or full remote access— depending on the objective. It is distributed through fake public service pages and stands out for a curious detail: it uses inaudible audio to prevent the system from closing the application, another example of creativity in persistence.

Another case is PixRevolution, focused on bank fraud. It abuses accessibility services, but introduces an additional operational component: it requires active supervision. When it detects the use of banking apps, the implant consults its C2 to receive specific instructions in real time and manipulate the interface without the user noticing. There is no fixed logic for Pix; there is dynamic adaptation. The hypothesis of an operator —human or automated— is not confirmed, but it fits with the observed behavior.

Beyond these cases, a structural problem persists in the region: the supply chain of low-cost Android devices. Historically associated with ad fraud, these devices now fuel another market: residential proxies. Networks built from compromised devices that allow third parties to mask traffic from home connections. This does not stop at the phone: access extends to local networks where other vulnerable devices appear, such as Android TV boxes with exposed ADB, which end up being integrated into botnets for DDoS. Research like Katana and Kimwolf shows these layers well.

In closing, although Android spyware aimed at civil society in the region remains less visible, this malware ecosystem has a real impact on social and technical processes. Furthermore, borders are blurred: tools, techniques and even exploits circulate between criminal, commercial and other actors. What it seems today “just fraud” can escalate quickly. It is advisable to look at the whole panorama.

We hope you enjoy this edition of Anomaly. As always, comments and contributions are welcome. 💚

–[ Research and tools ]–

Virtualize iPhone — experimentation on iOS outside the device

The super-tart-vphone guide project explores the possibility of virtualizing environments close to iOS on infrastructures based on Apple’s native virtualization, a historically restricted space compared to Android. Although this is not a complete virtualization of iPhone as a physical device, it does aim to isolate and reproduce components of the environment for testing and analysis. If these types of approaches mature, they could reduce reliance on real hardware and open up more reproducible streams for iOS research, a terrain that remains expensive and limited in access. We haven’t tried it yet, but it’s on the list: we’ll be back with results.

–[Malware in the region ]–

Brazil- BeatBanker — banking + mining in the same mobile implant

Kaspersky’s analysis of BeatBanker describes a Brazil-focused Android malware that combines financial theft with cryptomining in the same infection stream, distributed via sites mimicking Google Play and government apps. Beyond the monetization combo, operational details stand out: loading payloads into memory to evade detection, persistence through almost inaudible audio playback to prevent the system from killing the process, and use of overlays to intercept transactions (including replacement of addresses in crypto wallets). In more recent samples, the banking module is replaced by a RAT (BTMOB), suggesting a transition to more flexible models of remote access and MaaS.

Infostealers — less volume, more sophistication in the region

ESET’s review of infostealer activity shows an interesting change: although global detections decreased, sophistication increased, in part due to the use of AI and more flexible models. In Latin America, the focus remains, with Mexico concentrating massive peaks of campaigns (Lumma Stealer) and Brazil emerging as a testing ground for hybrid threats that combine spyware and financial theft (including techniques via NFC). Families like Formbook, Lumma or Agent Tesla continue to set the pace, but the background is different: access to this type of malware is increasingly easier, which expands the number of actors and dilutes the technical barrier to entry.

LATAM — shared malware patterns

The ESET map on malware in Latin America shows campaign reuse and tooling between countries such as Peru, Mexico, Brazil, Argentina and Colombia. More than new threats, regional circulation of the same families is observed (phishing, loaders and banking Trojans), with campaigns that are replicated and adapted according to the local context.

–[Malicious Activity ]–

UAT-9244 — targeting telecoms in South America

Cisco Talos describes UAT-9244 as a China-linked actor that since 2024 has compromised telecommunications infrastructure in South America, deploying three implants: TernDoor (Windows), PeerTime (Linux, with C2 via BitTorrent) and BruteEntry (force brute from edge devices converted into scanning nodes). More than individual tooling, the combination stands out: persistent access at endpoints, lateral movement in embedded systems and use of compromised infrastructure to expand attack surface. Targeting is consistent and long-term, with a focus on telecommunications providers.

LATAM — more attacks, different vector

Recent data shows that Latin America faces up to twice as many cyberattacks as the US. USA., with a greater presence of ransomware, infostealers, banking malware and botnets. Unlike the US. In the US, where attacks arrive mainly via the web, email dominates the region (≈74%), especially phishing campaigns that impersonate banks, payments or public entities. More than volume, the differential is in the vector: less complex technical exploitation, more effective and sustained social engineering.

–[ Hacktivism ]–

Brazil - P4R4ZYT3 / DEFCOMX64 — from gaps to speech

The alias P4R4ZYT3, linked to DEFCOMX64, connects a gap (~8.6 GB) against a public entity in Brazil with activity in forums, defacements and Telegram. What is interesting is the change in tone: from publishing databases and moving in circuits closer to crime, to building presence, reappearing after falls and beginning to announce actions against state objectives. Telegram goes from a secondary channel to a signaling space, with more declarative messages and less oriented towards specific filtering.

–[ Info/Psy OPs ]–

Meta intervenes in recruitment and disinformation networks of Latin American drug cartels.

Meta’s Adversarial Threat Report for the first half of 2026 includes the intervention of accounts linked to drug cartels in Latin America, used for recruitment and disinformation campaigns. The case, taken up in the RiskyBiz publishing house,, shows how these structures also operate on digital platforms with their own logic of influence and expansion.

Ecuador — The FPSC denounces attacks against journalists and media

The Fundación Periodistas Sin Cadenas (FPSC) denounces digital attacks coordinated in specific regions, such as the Ecuadorian Amazon, aimed at silencing complaints from local media and journalists. These actions include mass reporting, bot and troll campaigns, and even direct threats, with the goal of controlling speech in highly localized contexts. This makes it even more difficult for civil society voices in these regions to be heard and amplified. It is interesting to observe how these dynamics evolve and if the types of attacks change over time.

–[ Leaks ]–

Colombia — DNI links DIAN leak with electoral scenario

The National Intelligence Directorate pointed out that the leak of data associated with the DIAN (reported in Anomaly #3) could be linked to an attempt at manipulation in the electoral context. However, no technical details have been made public explaining how such a database would be integrated into an electoral manipulation scenario. This type of leak usually appears more associated with dynamics such as phishing, fraud, impersonation or sale of access, and adds to an increasingly long list of recent exposures in Colombia and other countries in the region. The electoral reading appears without further technical support, while the most immediate impacts are already being seen in circulation.

NyxarGroup — active actor in Colombia with a focus on public entities and the health sector

NyxarGroup has been linked in recent weeks to multiple incidents in Colombia with a focus on government entities, hospitals, universities and public institutions. The actor takes advantage of exposed services to obtain initial access (RCE or shells) and then performs database exfiltration (SQL dumps), in several cases on systems with sensitive information such as health status and so on.

–[ ZOLIM - This week’s snapshot (03/18/2026) ]–

ZOLIM’s most recent snapshot shows a change that is less visible but more relevant than growth: the infrastructure not only increased to 116 IPs, but remains active: the 104 IPs of the previous snapshot are still up, without significant rotation.

Here are some signs that caught our attention this week:

• GoPhish remains the dominant framework with 66 nodes and already operates as a base infrastructure in LATAM. The repeated use of port 3333 (34 IPs) and its presence in multiple countries show simple configurations that remain repeated between snapshots.

• Sliver goes from 10 to 12 nodes and appears in new ASNs and countries. In parallel, a node that previously combined Sliver and UnamWebPanel now maintains only Sliver, and UnamWebPanel stops appearing in the snapshot.

• In Colombia the number of nodes goes from 9 to 13. In Barranquilla (AS27831), a node that previously combined DCRat and AsyncRAT now maintains only AsyncRAT, marking a change in the configuration of that infrastructure. At the same time, new nodes appear in Bogotá, Bucaramanga and Cota.

• Honduras appears on the radar again, this time not only with Quasar but with Hack5 Cloud C2.

The infrastructure continues to be deployed on commercial cloud and regional providers (Oracle, Amazon, Microsoft, local telecoms), with repeated presence among snapshots.

In ZOLIM you can explore the complete snapshot and the table where we publish all active IPs by country if you want to delve deeper into the data :D

https://zoquelabs.xyz/zolim