{"id":20342,"date":"2026-04-24T11:02:39","date_gmt":"2026-04-24T11:02:39","guid":{"rendered":"https:\/\/any.run\/cybersecurity-blog\/?p=20342"},"modified":"2026-04-24T13:18:55","modified_gmt":"2026-04-24T13:18:55","slug":"brazilian-banking-phishing-campaign","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/brazilian-banking-phishing-campaign\/","title":{"rendered":"Inside\u00a0agenteV2: How Brazilian Attackers Use Fake Court Summons to Steal Banking Credentials in Real Time\u00a0"},"content":{"rendered":"\n

Editor\u2019s note:<\/strong><\/em> The analysis is authored by Moises Cerqueira, <\/b><\/em>malware researcher & threat hunter. You can find Moises on LinkedIn<\/a> and X<\/a>.<\/em><\/strong><\/p>\n\n\n\n

A new phishing campaign targeting Brazilian users demonstrates how modern financial malware has evolved from simple credential theft into full-scale, operator-driven fraud platforms. Disguised as a judicial summons, this campaign leverages social engineering, multi-stage malware delivery, and real-time remote access capabilities to compromise victims and actively assist attackers in financial theft. <\/strong> <\/p>\n\n\n\n

For organizations, the implications extend beyond individual users. Employees accessing corporate systems, financial platforms, or crypto wallets from infected endpoints can unintentionally expose business-critical assets<\/strong>. The malware\u2019s ability to stream screens, execute commands, and harvest credentials in real time makes it particularly dangerous for finance teams, executives, and organizations operating in or with Brazil. <\/p>\n\n\n\n

This is not just phishing. It\u2019s a live intrusion channel into financial workflows. Technical analysis below.  <\/p>\n\n\n\n

Attack Overview <\/h2>\n\n\n\n

The malware at the heart of this campaign, agenteV2, functions as a full interactive backdoor. Once installed, it streams the victim’s screen to the attacker in real time, enabling live, operator-assisted financial fraud<\/strong>. A human operator watches the victim’s desktop session as it happens, waiting for a banking portal to open, and then takes direct control. <\/p>\n\n\n\n

The malware targets credentials and sessions at seven major Brazilian financial institutions<\/strong> \u2014 Ita\u00fa, Banco do Brasil, Caixa Econ\u00f4mica Federal, Bradesco, Santander, Inter, and Stone \u2014 as well as five major cryptocurrency wallet extensions<\/strong>. It also probes host systems for the presence of specialized Brazilian anti-fraud software (Diebold Warsaw, GbPlugin), indicating deliberate, well-researched targeting of the Brazilian financial ecosystem. <\/p>\n\n\n\n

Executive Summary <\/h2>\n\n\n\n

1. This Is Live Financial Fraud, Not Passive Credential Theft.<\/strong> <\/p>\n\n\n\n

Business perspective<\/strong>: agenteV2 establishes a persistent WebSocket backdoor with live screen streaming and a remote shell. The attacker watches the victim’s screen in real time and acts manually the moment a banking session opens. Financial losses can occur within minutes of infection, before any traditional alert fires. <\/p>\n\n\n\n

Deploy ANY.RUN\u00a0Interactive Sandbox<\/a>\u00a0to detonate suspicious email attachments in a live, controlled environment before they reach employee inboxes.\u00a0<\/p>\n\n\n\n

2. The Lure Is Convincing Enough to Fool Security-Aware Staff.<\/strong> <\/p>\n\n\n\n

Business perspective:<\/strong> The phishing email impersonates a Brazilian federal court using a case number format indistinguishable from authentic CNJ court references. Even employees trained to spot phishing are likely to treat a realistic judicial summons as a high-priority communication requiring immediate action. <\/p>\n\n\n\n

Use ANY.RUN Threat Intelligence Lookup<\/a> to check suspicious email sender domains, embedded URLs, and attachment hashes instantly against a continuously updated threat intelligence database. A 10-second lookup is sufficient to surface this campaign’s known indicators. <\/p>\n\n\n\n

3. The Malware Survives Reboots, IT Maintenance, and Password Resets.<\/strong> <\/p>\n\n\n\n

Business perspective<\/strong>: Three separate persistence mechanisms \u2014 two Scheduled Tasks at maximum privilege and a Registry Run key \u2014 ensure the malware remains operational across reboots, routine IT maintenance, and even password changes.  <\/p>\n\n\n\n

ANY.RUN Threat Intelligence Feeds<\/a> deliver structured IOCs directly into your SIEM and EDR for automated hunting across your entire endpoint fleet. Any host matching these indicators should be treated as actively compromised and isolated immediately. <\/p>\n\n\n\n

4. Blocking the Known C2 IP Is Not Enough.<\/strong> <\/p>\n\n\n\n

Business perspective:<\/strong> The malware reads its command-and-control server address from a public Pastebin page. The attacker can silently rotate to a new IP by editing a single page \u2014 without redeploying, recompiling, or redelivering any malware. IP blocklists become stale within hours of a C2 rotation. <\/p>\n\n\n\n

Replace IP-based blocking with behavior-based detection. The agenteV2 TLS client fingerprint (JA3 hash)) is stable across infrastructure rotations and can be deployed as a detection rule in your IDS\/NDR\/EDR. <\/p>\n\n\n\n

5. Traditional AV Will Not Catch This: Behavioral Analysis Is Required.<\/strong> <\/p>\n\n\n\n

Business perspective: <\/strong>The core stealer DLL is compiled from Python to native machine code with Nuitka \u2014 no bytecode is extractable and standard decompilers do not apply. Files are disguised with legitimate names (wifi_driver.exe, msedge04.exe) and the payload executes entirely in memory before touching disk.  <\/p>\n\n\n\n

Behavioral sandbox analysis is the only reliable pre-execution detection method for Nuitka-compiled threats. The YARA rule in this report (Win_Stealer_AgenteV2_Nuitka) is deployable via ANY.RUN TI infrastructure<\/a> for automated variant detection. <\/p>\n\n\n\n

\n \n\n \n \n \n \n \n \n \n \n
\n Impact Area\u00a0 <\/th>\n \n Assessment\u00a0 <\/th>\n <\/tr>\n
\n Financial Impact\u00a0 <\/td>\n \n Real-time operator-assisted fraud + credential theft targeting major Brazilian banks and crypto wallets\u00a0 <\/td>\n <\/tr>\n
\n Scope\u00a0 <\/td>\n \n Brazilian users judicial lure suggests broad targeting, not\u00a0spearphishing\u00a0 <\/td>\n <\/tr>\n
\n Persistence\u00a0 <\/td>\n \n Triple persistence (Registry Run + two Scheduled Tasks \/rl\u00a0highest)\u00a0 <\/td>\n <\/tr>\n
\n C2 Resilience\u00a0 <\/td>\n \n Pastebin dead-drop resolver enables rapid IP rotation without redeployment\u00a0 <\/td>\n <\/tr>\n
\n Detection Difficulty\u00a0 <\/td>\n \n Nuitka-compiled DLL, Cloudflare proxy, legitimate-looking filenames, WebSocket C2 channel\u00a0 <\/td>\n <\/tr>\n
\n RE Difficulty\u00a0 <\/td>\n \n Core DLL compiled to native code (Nuitka); no extractable bytecode; ~90%\u00a0Nuitka\u00a0boilerplate\u00a0 <\/td>\n <\/tr>\n
\n Threat Classification\u00a0 <\/td>\n \n Interactive Banking Trojan + Infostealer persistent WebSocket backdoor with live screen streaming and remote shell\u00a0 <\/td>\n <\/tr>\n <\/table>\n<\/div>