Beware the CMDStealer: Cybercriminals’ New Tool to Exploit Online Banking Vulnerabilities in Latin American and European Countries

Cybercriminals continue to target unsuspecting victims around the world, using advanced tactics and techniques to compromise online accounts and steal valuable data. The latest campaign to emerge on the scene is Operation CMDStealer, a series of attacks carried out by a Brazilian threat actor targeting Spanish and Portuguese-speaking victims in Mexico, Peru and Portugal.

This campaign, which has been attributed to a specific threat actor group, leverages a range of techniques to avoid detection, including social engineering, geofenced files, and LOLBaS and CMD-based scripts. The aim of the campaign is to steal data from online banking accounts in targeted countries and siphon funds into the attacker’s accounts.

In this article, we will examine the details of Operation CMDStealer and the Nigerian cybercrime ring’s financial fraud scams that use business email compromise tactics.

Operation CMDStealer: A Brazilian Threat Actor Targeting Spanish and Portuguese-Speaking Victims

Cybersecurity researchers have identified a recent campaign dubbed Operation CMDStealer, in which a Brazilian threat actor is targeting Spanish and Portuguese-speaking victims in Mexico, Peru, and Portugal to compromise their online banking accounts. The group has been found to use advanced tactics, including geofencing, social engineering, and exploited scripts, to avoid conventional security measures and target online business accounts, which typically have better cash flows.

Social engineering as the primary attack method

The primary attack vector employed by the Operation CMDStealer campaign is social engineering. The threat actors leverage Portuguese and Spanish email messages containing tax or traffic violation-themed lures to trigger infections and gain unauthorized access to victims’ systems. Once a victim is engaged, the attacker can execute the next phase of the attack chain, which usually involves creating a remote control shell, installing malware, or stealing sensitive data.

Geofencing is a technology that creates a virtual boundary around a physical area using GPS or RFID data. It is not typically associated with file stealing or data theft. Additionally, it is not appropriate or legal to use AutoIt scripts or any other software to unlawfully obtain data from others. It is important to respect and protect the privacy and security of others.

Another strategic element employed by the Operation CMDStealer threat actor is the use of geofenced files. These files leverage AutoIt scripts to download Visual Basic script components, which then carry out the theft of password data from the victim’s system. The files are geofenced to specific countries, ensuring that they are not overexposed to security systems that monitor and block malicious activity. This enables the threat actor to evade endpoint protection platform (EPP) solutions, offering greater privacy and ease of operation.

Leveraging LOLBaS and CMD-based scripts to avoid detection

In addition to leveraging geofenced files, the Operation CMDStealer threat actor is also using LOLBaS and CMD-based scripts to avoid detection by traditional security measures. These scripts help the attacker to bypass security systems by leveraging built-in Windows tools and commands that evade endpoint protection. This allows the threat actor to harvest and exfiltrate sensitive data undetected.

Harvested information sent to attacker’s server via HTTP POST request

Once the CMDStealer threat actor has harvested the necessary information from the victim’s system, the data is transmitted back to the attacker’s server using an HTTP POST request. This procedure prevents detection by security systems, providing a secure and private way to siphon funds from online banking accounts.

Targeting Online Business Accounts with Better Cashflow in Mexico

Based on the available configuration data used to target victims in Mexico, Operation CMDStealer is particularly interested in online business accounts that typically have a better cash flow. The threat actors are using advanced social engineering and geofencing techniques to target these accounts, often using tax or traffic violation-themed lures to trigger the infection and compromise of the account.

Nigerian cybercrime ring’s financial fraud scams using business email compromise

Operation CMDStealer is not the first cybercrime campaign to use business email compromise tactics. In January 2017, cybersecurity firm ESET exposed a Nigerian cybercrime ring that executed complex financial fraud scams by targeting businesses, banks, and unsuspecting individuals. The bad actors used phishing attacks to obtain access to corporate email accounts and tricked their business partners into sending money to bank accounts controlled by the criminals.

Operation CMDStealer is another example of the growing sophistication of cybercriminal tactics and techniques. As more businesses and individuals move their financial activities online, cybersecurity must remain vigilant in protecting against these types of attacks. To mitigate the risk of these threats, it is essential to maintain robust cybersecurity protocols and train employees to identify and avoid social engineering tactics used by malicious actors.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable