Proofpoint researchers identified a new group, TA2721 distributing Spanish-language email threats.
The group often targets individuals with Spanish-language surnames at global organizations representing multiple different industries.
The infection chain features a PDF containing a URL that leads to an encrypted RAR file which installs Bandook malware.
The threat actor tends to use the same command and control (C2) infrastructure for weeks or months at a time.
Proofpoint has only seen three different C2 domains.
Bandook is an old malware that is not used by many threat actors.
SkyWatchSM Alert Legend
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
Disclosure is Not Limited.
Limited Disclosure, Restricted Only to the Community.
Limited Disclosure, restricted to the Participant's Organization.
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.