IBM X-Force Threat Analysis: Hive0148 observed targeting Mexico and Costa Rica

In late March 2025, IBM X-Force led an incident response case involving Hive0148, a South American cyber crime group focused on financial theft throughout the region. This incident was part of a series of large campaigns occurring between February 19 and March 20, 2025, delivering the Grandoreiro banking trojan to users in Mexico and Costa Rica. The incident involved a victim receiving two phishing emails, one of which led to a ZIP archive hosted on the file sharing service mediafire[.]com. If, upon clicking the provided URL, the geolocation of the victim is established for either Mexico or Costa Rica, they are quickly redirected to a contaboserver[.]net URL to download the ZIP file. The archive contains a malicious Visual Basic Script (VBS) that, upon execution, launches an executable file with a randomly assigned name. The executables themselves were unable to be recovered from the infected system. However, the X-Force malware team analyzed the malicious VBS to recover the executable, which was revealed to be a Grandoreiro Loader.

X-Force tracks distributors delivering the Grandoreiro banking trojan that are known to target entities in Mexico and Brazil, although targets in Spain, Colombia and Costa Rica have been observed. Grandoreiro is a multi-component banking trojan likely operated as a Malware-as-a-Service (MaaS), featuring characteristics such as string decryption, domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. Grandoreiro contains a large, hard-coded list of targeted banking applications that it uses to enumerate victim devices, steal credentials and commit fraud.

X-Force tracks at least three distributors deploying different versions of the Grandoreiro banking trojan, two identified as Hive0148 and Hive0149, and a third under development. Grandoreiro distributors are grouped based on certain tactics, techniques and procedures (TTPs), such as infection chain attributes, including the use of different loaders and command and control (C2) techniques, phishing themes, targets and indicators of compromise (IOCs). Phishing campaigns delivering Grandoreiro often contain themes related to Tax Administration Services, the Federal Electricity Commission (CFE), electronic billing, national banks and Federal courts/legal notifications.

Phishing, Malware

• Grandoreiro is a multi-component banking trojan likely operated as a Malware-as-a-Service (MaaS).
• It is actively deployed in phishing campaigns impersonating government entities in Mexico, Argentina and South Africa.
• The banking trojan specifically targets more than 1,500 global banking applications and websites in more than 60 countries, including regions in Central/South America, Africa, Europe and the Indo-Pacific.
• Grandoreiro supports harvesting email addresses from infected hosts and using their Microsoft Outlook client to send out further phishing campaigns.

X-Force observed several large Hive0148 campaigns delivering the Grandoreiro banking trojan to users in Mexico and Costa Rica between February 19 and March 20, 2025. The emails spoof several government organizations including Mexico's Tax Administration Services (SAT) with emails stating to be from the Secretariat of Finance and Public Credit. Hive0148 often sends emails with themes related to SAT or the Federal Electricity Commission (CFE), or finance related such as billing.

Observed sender email addresses Hive0148 used:

• marcaSAT[@]sat[.]gob[.]mx
• fiscaliageneral[@]cfe[.]com
• fiscaliageneral[@]sat.gob.mx
• fiscaliageneral[@]vps-[alpha-numeric value][.]vps[.]ovh[.]us
• fiscaliageneral[.]afip[.]gob[.]ar

The email bodies of some observed campaigns inform the recipient that an administrative act identified with the folio number: [varies per email] has been sent, and is available for review in their Tax Inbox at sat[.]gob[.]mx. Likely for authenticity, the email sender includes the following statement: "SAT does not request personal information, codes, or passwords via email. If you receive a suspicious message, do not share it and report it through our portal. Your personal data is protected in accordance with the Personal Data Protection Guidelines and current tax regulations. It is used exclusively to exercise the powers of the Tax Authority." Additional email context purports to be from Argentina's Federal Aministration of Public Income, stating that new tax documents have been generated and fines have incurred.

Sample of observed email subjects:

• Nueva Demanda en su Documento [6 digit number]
• Multa Registrada en su Documento [6 digit number]
• Pago Pendiente [alpha numeric value] - CFE
• Acto admin [alpha numeric value] enviado al buzon [alpha numeric value]

In all campaigns, a link to view the administrative act (for instance) or other relevant document is provided in the email body along with the password "2025". After a victim has clicked on the embedded link, a browser opens to reveal a link to "Documento archivo PDF". The URL, which is a variation of hxxps[:]//vmi2500223[.]contaboserver[.]net/, leads to a ZIP archive download after a geolocation check for Mexico or Costa Rica, depending on the email. If the user is not within Mexico or Costa Rica, the user will not be redirected, and a timeout error will appear.

The archive files contain a malicious obfuscated Virtual Basic Script (VBS). One VBS analyzed by X-Force, VER_4138SZOLMCTOhhadOBDO.vbs, functions as a dropper that base64 decodes and drops an embedded ZIP archive to the system as %AppData%\<12-char-random-name>.zip (example: EJHAnQiepmGQ.zip). The ZIP archive contains an Extensible Markup Language (XML) file 823213123422HFPZNBLD79004462AEMGNZNC.xml which is unzipped by the dropper, renamed to %AppData%\<12-char-random-name>.exe (example: EJHAnQiepmGQ.exe) and executed. The dropper also creates a text file named %AppData%\tYcEsgSvozkyMJsMKC.txt which contains the path of the final payload.

This loader variant operates similarly to other Grandoreiro loaders as detailed in 2024 by IBM X-Force.  When EJHAnQiepmGQ.exe is executed, it creates a mutex based on the current date, formatted as M/DD/YYYY, then displays a fake PDF dialog box to the user. If any errors occur, a second fake Adobe Reader error dialog box is displayed before execution terminates. Once the user clicks the dialog box, the loader performs several anti-analysis checks for running analysis tool processes, registry keys, Microsoft link files on the user's desktop and certain directories.

If the system passes the checks, the loader gathers system information such as username, antivirus software, host name, volume serial number and public IP country information to be sent to the C2 server. The public IP information is obtained from http://ip-api.com/json.

Once system information is obtained, the C2 domain is decrypted from strings. The domain's IP is resolved via DNS over HTTPS through the URL https://dns.google/resolve?name=<C2Server> to circumvent DNS-based blocking. For the analyzed sample, the C2 is crispandpotato[.]workisboring[.]com. System information is then sent to the C2 and typically, the Grandoreiro banking Trojan is downloaded.

X-Force observed a recent phishing campaign impersonating official government entities to deliver the Grandoreiro banking trojan. Grandoreiro distributors typically target users in Latin America; however, X-Force has observed the malware being spread outside of LATAM to include regions in Central and South America, Africa, Europe and the Pacific. The Grandoreiro banking trojan includes at least 1,500 global banking applications to target, which support execution and enable attackers to perform banking fraud in more than 60 countries. Campaigns delivering Grandoreiro are notable due to the potential high impact follow-on activity associated with banking trojans. Campaigns resulting in infections have led to Grandoreiro operators successfully capturing user data such as banking login credentials, and have resulted in victims being defrauded of likely at least 3.5 million Euros since at least 2017.

We encourage organizations that may be impacted by these campaigns to review the following recommendations:

• Exercise caution with emails and PDFs prompting a file download
• Monitor network traffic for multiple consecutive requests to http://ip-api.com/json as a potential indicator of a Grandoreiro infection
• Consider blocking pre-calculated DGA domains via DNS
• Monitor registry Run keys used for persistence
• Install and configure endpoint security software
• Update relevant network security monitoring rules
• Educate staff on the potential threats to the organization

IBM X-Force Premier Threat Intelligence is now integrated with OpenCTI, delivering actionable threat intelligence about this threat activity and more. Access insights on threat actors, malware and industry risks. Install the OpenCTI Connector to enhance detection and response, strengthening your cybersecurity with IBM X-Force’s expertise. Stay ahead—integrate today.