--[ Anomalía #10 - Browsers, sessions and other things we are seeing appear ]--

Hello hello!

A few months ago we received a case for forensic analysis related to a wallet. The initial question seemed relatively simple: try to understand what had happened.

We did not find a definitive answer. What we found were traces.

Había indicios de que todo podía haber comenzado con la descarga de un software aparentemente legítimo. Había cambios extraños en el navegador, reference is a extension of the provisions of the Regulation. También había subficientes piezas dispersas como para sospechar que detrás del incidente existía una cadena mucho más larga de lo que alcanzábamos a ver.

For weeks we tried to rebuild it. We found something and three new questions appeared. We went from reviewing forensic artifacts to reading about browser extensions. Then we finish reading about profile synchronization. Then about session theft. Then about banking malware. Then about infrastructure.

At some point we stopped following the incident and began to follow the traces it was leaving.

Around that time, extension research appeared capable of taking control of entire browser profiles. Others described mechanisms for cloning active sessions without needing to steal passwords. More recently we found reports on SilabRAT, a tool marketed on criminal forums with functions to hijack sessions, clone profiles and operate from the victim’s own environment.

Meanwhile, campaigns associated with Casbaneiro and Horabot continued to appear that mix emails, password-protected PDFs, ClickFix, WhatsApp and banking malware. They were not the same actors. They were not the same tools. They weren’t exactly the same victims either.

But there was something familiar about all of them, although none of these articles explained the case we were investigating, they seemed to behave similarly.

Time and time again, browsers, authenticated sessions, synced profiles, extensions, wallets, and ways to leverage something that was already there instead of compromising it from scratch appeared. In many cases the goal no longer appears to be solely to install malware, but to operate from legitimate contexts: an open session, a trusted browser, an installed extension, or an account that has already passed all authentication checks.

That caught our attention because many of the people and organizations we accompany depend precisely on those tools. Browsers, extensions, cloud platforms, messaging applications, password managers or services where an authenticated session is worth much more than a password.

Furthermore, many of the techniques that end up appearing in civil society contexts are not necessarily born there. Previously, they usually circulate in financial fraud campaigns, credential theft or criminal ecosystems where new ways of obtaining access, persistence or control are tested, modified and reused.

That’s why we ended up reading about Casbaneiro when we were trying to understand how to compromise a wallet. Or about extensions when we searched for traces in a browser. Or about session theft when the original question seemed to go the other way.

We still don’t know exactly what happened in the case that gave rise to this story. There are still pieces that don’t fit and unanswered questions. But after several months of following campaigns, infrastructure, malware and techniques that appear again and again in Latin America, the impression we are left with is that we are investigating fewer and fewer isolated incidents and more chains that intersect, mix and reappear in different places.

And that’s why we continue to observe them.

--[Threat Intelligence ]–

IA /Open Software— a fake repository reached the top of Hugging Face distributing malware

A repository that imitated a legitimate OpenAI project managed to position itself among the most popular in Hugging Face before being removed for distributing an infostealer aimed at stealing credentials, sessions and wallets. The research also found other linked repositories that reused the same infrastructure and download mechanisms. The case shows how AI ecosystems are also becoming spaces where reputation, popularity and trust can be manipulated to distribute malware on a large scale.

DAEMON Tools — Supply chain attack hit targets in Brazil

An attack attributed to UNC6863 compromised official DAEMON Tools installers to distribute malicious code signed with legitimate certificates from the software itself. The operation began with massive infections aimed at profiling compromised equipment, but only a small portion received additional implants such as BADFALL and QUIC RAT. The most advanced stages were deployed against a small set of organizations, including government, scientific, manufacturing and commercial entities in countries such as Brazil, Russia, Turkey, Belarus and Thailand.

--[Surveillance and espionage]–

Panama and Venezuela — groups linked to China target government entities

In its APT activity report, ESET documented espionage operations attributed to Chinese-aligned groups against government entities in Panama and Venezuela. Among the cases described are FamousSparrow, which compromised a Venezuelan entity related to maritime affairs, and NegativeGlimmer, observed in Panamanian government organizations. According to ESET, these operations coincide with Chinese interests in maritime, energy and political issues, in a context of growing activity by state espionage groups in Latin America and the Caribbean.

Mexico / USA /Canada — The World Cup also comes with facial recognition, anti-drones and expanded surveillance

With the start of the 2026 World Cup, different social reports and organizations have been following the deployment of surveillance technologies in the host cities. Among the announced measures are facial recognition systems in stadiums, real-time monitoring platforms, anti-drone technologies, integrated command centers and hundreds of new surveillance cameras. There is concern about the lack of transparency about the use of these systems, especially on issues such as facial recognition, biometric data retention and possible communications interception capabilities. In the case of the United States, the discussion also touches on migrant communities, at a time when biometrics,identification systems and other surveillance technologies occupy an increasingly visible place within immigration and border control policies.

--[Malware]–

Brazil/Argentina — BTMOB and the ease of building campaigns for Android

ESET analyzed BTMOB, a malware for Android that allows you to capture information, monitor activity and take remote control of the device. In addition to the capabilities of the RAT, the report shows something that appears more and more frequently: the sale of ready-to-use kits, with panels that allow generating new malicious applications and adapting campaigns for different countries. Researchers documented lures that mimicked tax agencies in Argentina and fake sites designed to distribute the apps. BTMOB appears to be part of a market where access to surveillance and control capabilities over mobile devices is becoming increasingly easier to purchase, reuse and redistribute.

--[Technical analysis]–

SilabRAT relies on browser profiles, active sessions and cryptocurrency wallets

Group-IB published an analysis of SilabRAT, a tool marketed as a service on criminal forums that incorporates features for cloning browser profiles, hijacking active sessions, and controlling computers using HVNC. The malware also includes modules for retrieving credentials, accessing cookies, monitoring browser activity, and extracting cryptocurrency-related information. The report also documents its distribution through ClickFix campaigns and describes features that seek to replicate a victim’s browser profile, including extensions, local storage and other elements used by some services to verify the identity of the logger.

--[Ransomware]–

Guatemala — The Gentlemen appears again

Exfiltradaz recorded in the snapshot of this edition the publication of Liztex Guatemala on the channels associated with The Gentlemen, one of the most active ransomware operations of 2026. A recent report describes how the group went from working as an affiliate of other ransomware programs to operating independently, racking up hundreds of victims in countries such as Brazil, India, the United Kingdom, and Thailand. For those who follow Anomaly, The Gentlemen is not a new name: it has appeared several times over the last few months in our region.

--[Leaks ]–

Uruguay — LaPampaLeaks offers citizen searches in exchange for cryptocurrencies

LaPampaLeaks published personal information of the current Minister of the Interior, a former president and other Uruguayan public figures to promote a paid search service in Bitcoin. The group claims to have access to information from different databases in the country, including identity records, education and state platforms. Days earlier, the organization had claimed responsibility for the leak of data from TuID, the digital identity system operated by Antel.

--[Digital Violence ]–

ShinyHunters and Scattered Spider appear linked to broader networks of sextortion and violence

An investigation explores the links between groups known for intrusions into tech companies —such as ShinyHunters, Lapsus$, and Scattered Spider— and a broader criminal ecosystem known as The Com. According to the report, the boundaries between access theft, fraud, sextortion, sexual exploitation and other forms of violence are much less clear than cybercrime coverage usually reflects. The topic caught our attention because ShinyHunters had previously appeared in Anomaly regarding leaks that affected dating applications used in the region.

--[ ZOLIM - This week’s snapshot (06/10/2026) ]–

ZOLIM reports 12 new IPs, highlights:

• We have identified an interesting pattern with ASNs associated with the telephone and internet provider Tigo Colombia (AS27831, AS3816). On the one hand there are IP rotations on the Atlantic coast (Barranquilla, Soledad, Valledupar) with AsyncRat and DcRat and on the other hand IP rotations in Santander (Girón, Bucaramanga) but with GoPhish. It seems that local cybercrime is abusing local infrastructure by giving them public addresses that make it easier and (surely) cheaper to maintain malicious infrastructure. It is also likely that this model offers some type of anonymity if these IPs are assigned to mobile connections.

• We found an instance in Mexico of GoPhish running on IPs of the Secretariat of Foreign Affairs. However, one of the domains associated with this IP looks like a page that alerts and educates about phishing. This GoPhish may be used in testing to raise awareness about this type of attack. How exactly do they do it? It would be interesting to know.

• Two instances of Hack5 Cloud C2 were found in this snapshot, since this is not one of the most popular frameworks, it is interesting that two new ones appear in this iteration of ZOLIM, One appeared in Brazil and the other in Mexico.

You can consult all the information and explore by country, IP, city, threat and other filters in the ZOLIM. dashboard

--[ Exfiltradaz - Snapshot from 05/29/2026 to 06/12/2026 ]–

During this period, 19 references to leaks linked to 6 countries in the region were recorded. Brazil continues to concentrate most of the observed activity, mainly associated with the circulation of credentials, accesses and databases shared in different forums. Guatemala registers an increase compared to the previous period and appears both in publications related to ransomware and in references to exposed databases.

Activity continues to be distributed mainly on platforms such as niflheim, darkweb and blackhatworld and 5 new actors observed. In addition to the usual circulation of credentials and access, during this period references appear to government information in Venezuela, a new victim of The Gentlemen in Guatemala and records associated with financial and business sectors in different countries of the region.

More details of these leaks in Exfiltradaz.