From Brazil with Love: New Tactics from Lampion
Essential information
- Published
- 31/10/2025 09:33
- Modified
- 31/10/2025 11:38
- Tags
- 2025-10-31 banking trojan clickfix lampion lampion stealer
- Related entities
- 20 observables, 1 intrusion sets (apt), 4 techniques (mitre), 2 malware, 2 others
Description
This analysis details a long-running spam campaign by a Brazilian group known for using the Lampion banking trojan. The campaign, active since at least 2019, has evolved its infection chain and components. Key updates include the use of email attachments instead of links, cloud services for ephemeral infrastructure, and ClickFix lures for initial compromise. The infection process involves multiple stages of obfuscated Visual Basic scripts, culminating in the deployment of an updated Lampion Stealer. The threat actors demonstrate sophisticated tactics, including IP blacklisting and the use of large file sizes to hinder analysis. The malicious infrastructure is distributed across multiple cloud providers and shows frequent changes in some components while maintaining long-term stability in others. The campaign's persistence and evolution highlight the group's dedication to stealth and evasion techniques.