Brazilian Hackers Launch SambaSpy Malware Through Phishing

A new malware named SambaSpy has been discovered exclusively targeting users in Italy through a sophisticated phishing campaign. The cyberattack, attributed to a Brazilian Portuguese-speaking threat group, raises concerns as it focuses solely on Italian victims, which is unusual since most attackers tend to aim for a wider audience to maximize their gains.

According to a report, the attackers may be testing their methods on Italian users before expanding the operation to other countries. The attack begins with phishing emails containing either an HTML attachment or an embedded link designed to initiate the infection.

If the recipient opens the HTML attachment, it delivers a ZIP file containing a downloader or dropper, both of which lead to the deployment of the SambaSpy malware.

The downloader fetches the malicious payload from a remote server, while the dropper retrieves it from the ZIP file. A second, more elaborate infection chain involves a phishing link that may redirect users to legitimate documents on platforms like FattureInCloud if they are not the intended target.

However, if the target matches the criteria—such as running the Italian version of a browser like Chrome, Firefox, or Edge—the malicious link redirects them to a booby-trapped file on Microsoft OneDrive or MediaFire.

SambaSpy is a versatile Remote Access Trojan (RAT) written in Java and equipped with multiple functions, making it a powerful tool for cyber espionage. The malware allows attackers to manage files, control processes, operate webcams, record keystrokes, track clipboard activity, and even capture screenshots.

It can also upload or download files, manage remote desktops, and execute commands through a remote shell. Moreover, SambaSpy is capable of expanding its functionality by loading additional plugins during runtime and can steal credentials from popular browsers like Chrome, Edge, Brave, and others.

Evidence suggests that the group behind SambaSpy is eyeing future targets in Brazil and Spain, indicating plans for a broader expansion of their operations. The Brazilian language elements in the code, along with infrastructure connections to Brazil, suggest a growing trend of Latin American hackers targeting European countries, particularly those with linguistic and cultural ties, such as Italy, Spain, and Portugal.

To defend against phishing attacks like those delivering SambaSpy, users and organizations should ensure they use up-to-date security software, enable multi-factor authentication, and avoid opening suspicious emails or attachments. Additionally, monitoring for unusual file behavior and limiting access to sensitive systems can help mitigate damage in the event of a successful intrusion.