The Lampion banking trojan is active again and seems to be on the rise with the same C2 server for two years. The attackers use fake banking templates impersonating Portuguese organizations to bait victims into installing malicious loaders.

Hackers’ old infrastructure

According to researchers, Lampion’s TTP and its capabilities have stayed the same since 2019. 
  • The attackers are using the same C2 server geolocated in Russia for two years.
  • Only Lampion’s VBS loader has changed in the past years, although the modus operandi is same as other Brazilian trojans (e.g. Maxtrilha, URSA, and Grandoreiro).

More details

Researchers have obtained the hostname of the remote machine used in the recent version of the Lampion - \WIN-344VU98D3RU.
  • More than 81,000 machines were identified globally; there were about 45,000 in the Netherlands, 25,000 in Russia, 2,500 in Turkey, 2,000 in Ukraine, and 1,500 in the U.S.
  • The hostname seems to be associated with other malware such as bazar and LockBit 2.0.

What’s new?

Though the attack infrastructure is the same, attackers have made a critical change in their techniques.
  • The attackers have expanded the file size by 56MB of junk (the samples from 2019 had around 13.20 KB) for bypassing detection by security solutions. 
  • After some rounds of code cleaning and deobfuscation, 31.7MB of useless lines of code were removed and the final version was 24.7MB which was responsible just for creating other files.
  • This indicates that attackers added a good amount of junk code to make analysis a bit difficult.


Brazilian trojans are spreading fast with multiple variants of malware targeting banking organizations. These variants come with different peculiarities, with an aim to stay hidden and avoid detection. Thus, organizations are recommended to make use of provided IOCs for better detection of Lampion or similar threats.
Cyware Publisher