Latin American banking users have got another new threat to worry about. An active campaign has been discovered targeting users of MercadoLivre - a large e-commerce platform in Latin America. The campaign has been observed to be using Chaes, a multistage infostealer.

What happened?

The infostealer, written in multiple programming languages such as JavaScript,
Vbscript, .NET, Delphi, and Node.js, is specifically used to target Brazilian users. The attacks are focused on MercadoLivre and its payment page MercadoPago.
  • The infostealer spread via phishing campaigns, in which emails claimed that a MercadoLivre purchase has been successful.
  • The attack chain is a combination of various stages, in which LoLbins and other legitimate software are used to avoid detection by AV products.
  • The final payload of this malware is a Node.Js infostealer that extracts information using a node process.
  • In recent months, several variants have been observed with improved encryption and new functionalities being added to the final Node.js module.
  • In addition, it can take screenshots, hook and monitor the Chrome browser, and gather other user information.

Other incidents

In recent months, the use of infostealer among cybercriminals has become a trend.
  • Recently, Jupyter infostealer has been observed targeting businesses and higher education institutions across the U.S.
  • Last month, Ghimob infostealer was found targeting 153 Android applications, including financial applications, in an attempt to steal user credentials.


Cybercriminals are now focusing on stealing information, which can be used for further scams or can be sold for money. Thus, experts suggest protecting important information using strong encryption, applying two-factor authentication, monitoring financial activities, and quickly alerting respective banks if anything suspicious is found.

Cyware Publisher