Beware the CMDStealer: Cybercriminals’ New Tool to Exploit Online Banking Vulnerabilities in Latin American and European Countries

Cybercriminals continue to target unsuspecting victims around the world, using advanced tactics and techniques to compromise online accounts and steal valuable data. The latest campaign to emerge on the scene is Operation CMDStealer, a series of attacks carried out by a Brazilian threat actor targeting Spanish and Portuguese-speaking victims in Mexico, Peru and Portugal.

This campaign, which has been attributed to a specific threat actor group, leverages a range of techniques to avoid detection, including social engineering, geofenced files, and LOLBaS and CMD-based scripts. The aim of the campaign is to steal data from online banking accounts in targeted countries and siphon funds into the attacker’s accounts.

In this article, we will examine the details of Operation CMDStealer and the Nigerian cybercrime ring’s financial fraud scams that use business email compromise tactics.

Operation CMDStealer: A Brazilian Threat Actor Targeting Spanish and Portuguese-Speaking Victims

Cybersecurity researchers have identified a recent campaign dubbed Operation CMDStealer, in which a Brazilian threat actor is targeting Spanish and Portuguese-speaking victims in Mexico, Peru, and Portugal to compromise their online banking accounts. The group has been found to use advanced tactics, including geofencing, social engineering, and exploited scripts, to avoid conventional security measures and target online business accounts, which typically have better cash flows.

Social engineering as the primary attack method

The primary attack vector employed by the Operation CMDStealer campaign is social engineering. The threat actors leverage Portuguese and Spanish email messages containing tax or traffic violation-themed lures to trigger infections and gain unauthorized access to victims’ systems. Once a victim is engaged, the attacker can execute the next phase of the attack chain, which usually involves creating a remote control shell, installing malware, or stealing sensitive data.

Geofencing is a technology that creates a virtual boundary around a physical area using GPS or RFID data. It is not typically associated with file stealing or data theft. Additionally, it is not appropriate or legal to use AutoIt scripts or any other software to unlawfully obtain data from others. It is important to respect and protect the privacy and security of others.

Another strategic element employed by the Operation CMDStealer threat actor is the use of geofenced files. These files leverage AutoIt scripts to download Visual Basic script components, which then carry out the theft of password data from the victim’s system. The files are geofenced to specific countries, ensuring that they are not overexposed to security systems that monitor and block malicious activity. This enables the threat actor to evade endpoint protection platform (EPP) solutions, offering greater privacy and ease of operation.

Leveraging LOLBaS and CMD-based scripts to avoid detection

In addition to leveraging geofenced files, the Operation CMDStealer threat actor is also using LOLBaS and CMD-based scripts to avoid detection by traditional security measures. These scripts help the attacker to bypass security systems by leveraging built-in Windows tools and commands that evade endpoint protection. This allows the threat actor to harvest and exfiltrate sensitive data undetected.

Harvested information sent to attacker’s server via HTTP POST request

Once the CMDStealer threat actor has harvested the necessary information from the victim’s system, the data is transmitted back to the attacker’s server using an HTTP POST request. This procedure prevents detection by security systems, providing a secure and private way to siphon funds from online banking accounts.

Targeting Online Business Accounts with Better Cashflow in Mexico

Based on the available configuration data used to target victims in Mexico, Operation CMDStealer is particularly interested in online business accounts that typically have a better cash flow. The threat actors are using advanced social engineering and geofencing techniques to target these accounts, often using tax or traffic violation-themed lures to trigger the infection and compromise of the account.

Nigerian cybercrime ring’s financial fraud scams using business email compromise

Operation CMDStealer is not the first cybercrime campaign to use business email compromise tactics. In January 2017, cybersecurity firm ESET exposed a Nigerian cybercrime ring that executed complex financial fraud scams by targeting businesses, banks, and unsuspecting individuals. The bad actors used phishing attacks to obtain access to corporate email accounts and tricked their business partners into sending money to bank accounts controlled by the criminals.

Operation CMDStealer is another example of the growing sophistication of cybercriminal tactics and techniques. As more businesses and individuals move their financial activities online, cybersecurity must remain vigilant in protecting against these types of attacks. To mitigate the risk of these threats, it is essential to maintain robust cybersecurity protocols and train employees to identify and avoid social engineering tactics used by malicious actors.

Explore more

Can a Unified ERP System Future-Proof Levi Strauss?

Establishing a seamless digital environment for a brand that spans over a hundred nations is a monumental undertaking that requires more than just standard software updates. Currently, Levi Strauss & Co. is navigating a profound transformation of its digital infrastructure, aiming for a mid-2027 completion of a fully integrated global enterprise resource planning system. This strategic overhaul is not merely

Ethereum Faces $10 Billion Liquidation Risk Near $2,000

The current trajectory of Ethereum suggests a massive collision between aggressive retail speculation and sophisticated institutional sell-side pressure as the asset hovers near the $2,000 psychological threshold. This specific price point has historically served as a pivot for broader market sentiment, influencing the behavior of various decentralized finance protocols and secondary layer-two scaling solutions. Currently, the market exhibits a state

ClickLock Malware Coerces macOS Users to Surrender Passwords

Traditional macOS security architectures have long been celebrated for their robust sandboxing and gated execution, yet a new strain of malware is proving that the human element remains the most vulnerable entry point in any digital ecosystem. This threat, known as ClickLock, has emerged as a particularly aggressive evolution in the macOS threat landscape by prioritizing psychological pressure and social

Stalled Windows 11 Migration Poses Growing Security Risks

The global landscape of enterprise computing is currently grappling with a persistent digital divide as a significant segment of users continues to rely on Windows 10 despite the availability of more secure alternatives. The current ecosystem of digital infrastructure remains tethered to legacy architecture, with recent telemetry indicating that approximately one in six workstations worldwide continues to operate on Windows

How Is OpenAI Redefining AI With Precision Engineering?

The shift from experimental conversationalists to precise engineering tools has fundamentally altered the landscape of digital productivity and high-performance computing in 2026. This transition is marked by a move away from the early excitement surrounding generative models toward a rigorous framework centered on deep optimization and granular control. OpenAI has spearheaded this movement with the introduction of the GPT-5.6 Sol