Kiron: Rust Adoption and Browser Extensions
Kiron operators used HTA file naming conventions such as ❉VER CUENTA❉_
, ❉𝔸𝕣𝕔𝕙𝕚𝕧𝕠𝕤❉_
, and ❉processo❉_
, which align closely with SAMBA SPIDER’s Mispadu naming scheme of ❉<STRING_IN_SPANISH>❉_<RANDOM_CHARACTERS>.hta
. These shared patterns further underline the connection between the two sets of activities.
July 2024: NestoLoader Integration
Kiron operators used HTA file naming conventions such as ❉VER CUENTA❉_
, ❉𝔸𝕣𝕔𝕙𝕚𝕧𝕠𝕤❉_
, and ❉processo❉_
, which align closely with SAMBA SPIDER’s Mispadu naming scheme of ❉<STRING_IN_SPANISH>❉_<RANDOM_CHARACTERS>.hta
. These shared patterns further underline the connection between the two sets of activities.The browser-stealer extension comprises two JS files with distinct functionalities:
String Obfuscation
In September 2023, Caiman developers implemented a custom string obfuscation process designed to enhance the malware’s defense evasion capabilities. This new method marked a departure from the widely recognized XOR-based algorithm commonly used by other LATAM malware families.