Kiron: Rust Adoption and Browser Extensions

Kiron operators used HTA file naming conventions such as ❉VER CUENTA❉_, ❉𝔸𝕣𝕔𝕙𝕚𝕧𝕠𝕤❉_, and ❉processo❉_, which align closely with SAMBA SPIDER’s Mispadu naming scheme of ❉<STRING_IN_SPANISH>❉_<RANDOM_CHARACTERS>.hta. These shared patterns further underline the connection between the two sets of activities.

July 2024: NestoLoader Integration

Kiron operators used HTA file naming conventions such as ❉VER CUENTA❉_, ❉𝔸𝕣𝕔𝕙𝕚𝕧𝕠𝕤❉_, and ❉processo❉_, which align closely with SAMBA SPIDER’s Mispadu naming scheme of ❉<STRING_IN_SPANISH>❉_<RANDOM_CHARACTERS>.hta. These shared patterns further underline the connection between the two sets of activities.The browser-stealer extension comprises two JS files with distinct functionalities:

String Obfuscation

In September 2023, Caiman developers implemented a custom string obfuscation process designed to enhance the malware’s defense evasion capabilities. This new method marked a departure from the widely recognized XOR-based algorithm commonly used by other LATAM malware families.

Similar Posts