Beware the CMDStealer: Cybercriminals’ New Tool to Exploit Online Banking Vulnerabilities in Latin American and European Countries

Cybercriminals continue to target unsuspecting victims around the world, using advanced tactics and techniques to compromise online accounts and steal valuable data. The latest campaign to emerge on the scene is Operation CMDStealer, a series of attacks carried out by a Brazilian threat actor targeting Spanish and Portuguese-speaking victims in Mexico, Peru and Portugal.

This campaign, which has been attributed to a specific threat actor group, leverages a range of techniques to avoid detection, including social engineering, geofenced files, and LOLBaS and CMD-based scripts. The aim of the campaign is to steal data from online banking accounts in targeted countries and siphon funds into the attacker’s accounts.

In this article, we will examine the details of Operation CMDStealer and the Nigerian cybercrime ring’s financial fraud scams that use business email compromise tactics.

Operation CMDStealer: A Brazilian Threat Actor Targeting Spanish and Portuguese-Speaking Victims

Cybersecurity researchers have identified a recent campaign dubbed Operation CMDStealer, in which a Brazilian threat actor is targeting Spanish and Portuguese-speaking victims in Mexico, Peru, and Portugal to compromise their online banking accounts. The group has been found to use advanced tactics, including geofencing, social engineering, and exploited scripts, to avoid conventional security measures and target online business accounts, which typically have better cash flows.

Social engineering as the primary attack method

The primary attack vector employed by the Operation CMDStealer campaign is social engineering. The threat actors leverage Portuguese and Spanish email messages containing tax or traffic violation-themed lures to trigger infections and gain unauthorized access to victims’ systems. Once a victim is engaged, the attacker can execute the next phase of the attack chain, which usually involves creating a remote control shell, installing malware, or stealing sensitive data.

Geofencing is a technology that creates a virtual boundary around a physical area using GPS or RFID data. It is not typically associated with file stealing or data theft. Additionally, it is not appropriate or legal to use AutoIt scripts or any other software to unlawfully obtain data from others. It is important to respect and protect the privacy and security of others.

Another strategic element employed by the Operation CMDStealer threat actor is the use of geofenced files. These files leverage AutoIt scripts to download Visual Basic script components, which then carry out the theft of password data from the victim’s system. The files are geofenced to specific countries, ensuring that they are not overexposed to security systems that monitor and block malicious activity. This enables the threat actor to evade endpoint protection platform (EPP) solutions, offering greater privacy and ease of operation.

Leveraging LOLBaS and CMD-based scripts to avoid detection

In addition to leveraging geofenced files, the Operation CMDStealer threat actor is also using LOLBaS and CMD-based scripts to avoid detection by traditional security measures. These scripts help the attacker to bypass security systems by leveraging built-in Windows tools and commands that evade endpoint protection. This allows the threat actor to harvest and exfiltrate sensitive data undetected.

Harvested information sent to attacker’s server via HTTP POST request

Once the CMDStealer threat actor has harvested the necessary information from the victim’s system, the data is transmitted back to the attacker’s server using an HTTP POST request. This procedure prevents detection by security systems, providing a secure and private way to siphon funds from online banking accounts.

Targeting Online Business Accounts with Better Cashflow in Mexico

Based on the available configuration data used to target victims in Mexico, Operation CMDStealer is particularly interested in online business accounts that typically have a better cash flow. The threat actors are using advanced social engineering and geofencing techniques to target these accounts, often using tax or traffic violation-themed lures to trigger the infection and compromise of the account.

Nigerian cybercrime ring’s financial fraud scams using business email compromise

Operation CMDStealer is not the first cybercrime campaign to use business email compromise tactics. In January 2017, cybersecurity firm ESET exposed a Nigerian cybercrime ring that executed complex financial fraud scams by targeting businesses, banks, and unsuspecting individuals. The bad actors used phishing attacks to obtain access to corporate email accounts and tricked their business partners into sending money to bank accounts controlled by the criminals.

Operation CMDStealer is another example of the growing sophistication of cybercriminal tactics and techniques. As more businesses and individuals move their financial activities online, cybersecurity must remain vigilant in protecting against these types of attacks. To mitigate the risk of these threats, it is essential to maintain robust cybersecurity protocols and train employees to identify and avoid social engineering tactics used by malicious actors.

Explore more

Compliance Drives Regulated B2B Influencer Marketing in 2026

The shifting landscape of digital authority has fundamentally transformed how enterprise-level organizations engage with industry experts and thought leaders across global markets. As the professional world moves deeper into this period of technological saturation, the superficial tactics of the past have been replaced by a rigorous commitment to transparency and legal precision. In earlier years, the simple inclusion of a

Transforming Voice of the Customer Into Predictive Action

Corporate boardrooms often overflow with real-time dashboards and complex analytics, yet many organizations still find themselves blindsided by sudden shifts in customer loyalty and market demand. While the technology to capture feedback has become ubiquitous, the structural ability to interpret and act upon that data in a meaningful timeframe remains remarkably rare for the average enterprise. Most traditional systems are

How Will Databricks CustomerLake Redefine Agentic Marketing?

The ongoing evolution of the digital landscape has forced a radical reconsideration of how enterprises capture, process, and ultimately utilize the vast oceans of consumer data generated every second of the day. Modern marketing departments have long struggled with the paradox of having too much information but not enough actionable insight to drive meaningful consumer interactions in real time. The

How Can Small Banks Compete With Global Financial Giants?

Nikolai Braiden has seen the evolution of financial architecture from its early blockchain roots to the current wave of institutional modernization, and today he joins us to dissect a pivotal shift in venture capital. With BankTech Ventures recently deploying $15 million into AI and stablecoin solutions, the landscape for regional banking is undergoing a profound transformation. Braiden’s perspective as an

Bullski Presale Tops the List of Best Meme Coins for 2026

The current cryptocurrency market in 2026 has transitioned into a highly sophisticated arena where institutional standards and community-driven viral momentum converge to create unique financial opportunities. Investors are no longer satisfied with speculative assets lacking fundamental safeguards, leading to a significant shift toward projects that prioritize technical transparency and structured growth. In this evolving landscape, the Bullski presale has emerged