← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Inside agenteV2: How Brazilian Attackers Use Fake Court Summons to Steal Banking Credentials in Real Time
WHITE PetrP.73 2026-04-26 Modified: 2026-05-26
26
IOCs
MEDIUM VOLUME
The article discusses a highly sophisticated phishing campaign in Brazil leveraging a malware known as agenteV2. This interactive Banking Trojan masquerades as an official judicial summons to deceive victims into downloading a malicious payload. Once executed, the malware establishes a persistent WebSocket backdoor that allows attackers to access the victim's system in real time, enabling live financial fraud and credential theft. The threat primarily targets users in Brazil, focusing on major banks and cryptocurrency wallet extensions, thereby raising serious concerns for organizations with employees who may be exposed to the campaign.
c2 ipnuitkati lookuppythonvbs loaderpastebinbrazildiebold warsawurlsregistry runinterpersistencesoarbancobradescostoneenoughtrojancontactphase2229stealertrackeropenverifysandboxgatepathservicexwormpersistent websocketwebsocket
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (26)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 15af977ce25de452b96affa2addb1036 2026-04-26
FileHash-MD5 285fea57345d838916153c4d8f43ab6c 2026-04-26
FileHash-MD5 826d6350724f203b911aa6c8c4626391 2026-04-26
FileHash-MD5 a48c0d5f95b1ef98f560f324fd275da1 2026-04-26
FileHash-SHA1 8a87d63110eeb782bb621b5f3154ca80bdcf5de7 2026-04-26
FileHash-SHA256 5fd682cdfdf2de867be2a4bd378a2c206370c18a598975a11c99dba121e36b1b 2026-04-26
URL http://38.242.246.176:8443 2026-04-26
URL http://nuevaprodeciencia.club/br77b/ 2026-04-26
URL http://nuevaprodeciencia.club/br77b/iayjaskyeiagds.php 2026-04-26
URL http://odaracani.online/index.php?id=3df947b3 2026-04-26
URL https://nuevaprodeciencia.club/br77b/arquivos/download.php?id_69bb7d47c15e9 2026-04-26
URL https://nuevaprodeciencia.club/br77b/arquivos/download/base.php?LpHQPCBwX=766760 2026-04-26
URL https://nuevaprodeciencia.club/br77b/arquivos/download/msedge03.exe 2026-04-26
URL https://nuevaprodeciencia.club/br77b/arquivos/download/msedge04.exe 2026-04-26
URL https://nuevaprodeciencia.club/br77b/arquivos/download/msedge04.exe' 2026-04-26
URL https://nuevaprodeciencia.club/br77b/arquivos/download/reiniciar.exe 2026-04-26
URL https://nuevaprodeciencia.club/br77b/arquivos/download/reiniciar.exe' 2026-04-26
URL https://nuevaprodeciencia.club/br77b/download.php 2026-04-26
URL https://nuevaprodeciencia.club/br77b/iayjaskyeiagds.php 2026-04-26
URL https://nuevaprodeciencia.club/br77b/iayjaskyeiagds.php' 2026-04-26
URL https://nuevaprodeciencia.club/cert.php 2026-04-26
URL https://nuevaprodeciencia.club/cord.php 2026-04-26
URL https://odaracani.online/index.php?id=3df947b3 2026-04-26
YARA 0c55ba82285f5d1c6ccfb41cab693fd855f51004 Core Banker Stealer Nuitka Compiled 2026-04-26
domain nuevaprodeciencia.club 2026-04-26
domain odaracani.online 2026-04-26
References (1)
↗ https://any.run/cybersecurity-blog/brazilian-banking-phishing-campaign/