Since March 2024, X-Force has observed phishing campaigns impersonating Mexico’s Tax Administration Service (SAT), Mexico’s Federal Electricity Commission (CFE), the Secretary of Administration and Finance for the city of Mexico, and the Revenue Service of Argentina. The emails target users within Latin America, including top-level domains (TLDs) from Mexico, Colombia, and Chile “.mx“, “.co“, and “.cl“. Any real identities have been redacted from the images for personal privacy.

The first campaign appears to be an attempt to be perceived as official and urgent and informs the target that they are receiving a final notice regarding a debit to the Federal Taxpayer Registration Fee (RFC) that has not been paid. If unpaid, consequences may include penalties, fines and a block on the user’s tax identification number impacting the target’s ability to conduct business and access government services legally. An additional campaign impersonates Mexico’s Federal Electricity Commission (CFE) and reminds the recipient that they subscribed to CFEMail, and therefore can access their account statement in PDF and XML format by clicking one of the embedded links. A third campaign imitating the Secretary of Administration and Finance, directs the recipient to click on a PDF to read details regarding a compliance notice. A campaign imitating the Revenue Service of Argentina instructs the user to download a new tax document and take applicable actions.

In each campaign, the recipients are instructed to click on a link to view an invoice or fee, account statement, make a payment, etc. depending on the impersonated entity. If the user who clicks on the links is within a specific country (depending on the campaign, Mexico, Chile, Spain, Costa Rica, Peru, or Argentina), they are redirected to an image of a PDF icon, and a ZIP file is downloaded in the background. The ZIP files contain a large executable disguised with a PDF icon, found to have been created the day prior to, or the day of the email being sent.