An ongoing espionage campaign aimed at corporate networks in Latin America has been revealed. It is specifically targeting Venezuela to spy on victims. An upgraded variant of the Bandook malware has been used in these attacks.

How does it work?

ESET dubbed the campaign as Bandidos. The targeted sectors include construction, manufacturing, healthcare, retail, and software services.
The attack chain starts with victims receiving malicious emails with a PDF attachment. The attachment has a shortened URL to download a compressed archive.
  • These archives are hosted on SpiderOak, pCloud, or Google Cloud, along with a password for extraction. After extraction, it drops a malware dropper that injects Bandook into an Internet Explorer process.
  • The recent variant of Bandook comes with 132 commands, 120 commands higher than the previously observed variant. This signifies that attackers have improved the malware’s capabilities.
  • Some of the main commands include listing directory contents, taking screenshots, controlling the cursor on the infected machines, manipulating files, installing malicious DLLs, and others.

A new functionality

One of the interesting features of the recent malware is the ChromeInject functionality. This functionality is aimed at stealing credentials from the victim.
  • The payload downloads a DLL file once communication with the C2 server is established. This file creates a malicious Chrome extension. 
  • The maliciously created Chrome extension attempts to obtain any credentials that the victim adds to a URL. These added credentials are saved in Chrome's local storage.


The modifications made to this malware over the years show a keen interest of Bandidos cybercriminals to keep using this malware in future campaigns as well. Moreover, the recent changes make this malware difficult to detect. Therefore, for protection against such threats, organizations are recommended to keep updating and reviewing their security posture regularly.

Cyware Publisher