A set of malware campaigns have been discovered targeting travel and hospitality businesses in Latin America.

About the campaigns

Cisco Talos researchers disclosed that the campaigns targeting Latin firms have been spreading commodity RATs and using a .NET-based crypter service 3losh.
  • Hackers use malspam to deliver malicious macro-enabled documents as the entry point.
  • The infection is then followed by a modular chain of PowerShell and VB scripts to disable anti-virus protection and deliver RATs.
  • The campaigns found delivering RAT families including njRAT and AsyncRAT.
  • These campaigns use either compromised or attacker-controlled websites to host their tools and payloads.

More insights

Furthermore, security analysts stumbled across multiple campaigns using the same 3losh crypter and infection scripts to spread njRAT and AsyncRAT.
  • The use of crypter builders shows that the attackers are using malware generation capabilities for easy distribution that can be used by their customers, affiliates, and operators.
  • According to experts, there are signs that actors behind the campaign are not the one who developed the crypter but is, in fact, a Brazilian since the content of the email is in almost perfectly Brazilian Portuguese.


The use of crypters and the modular nature of attacks indicate that the attackers are actively expanding their operations. In the future, these attacks could target other industries and geographies as well. Moreover, the widespread use of malicious services indicates that malware developers are growing professionally and acting as global criminal organizations.

Cyware Publisher