Malware News Inside agenteV2: How Brazilian Attackers Use Fake Court Summons to Steal Banking Credentials in Real Time

[Khushal]

Content source

https://any.run/cybersecurity-blog/brazilian-banking-phishing-campaign/

New Brazilian banking trojan "agenteV2" uses fake court summons to deliver interactive backdoor with real-time screen streaming, enabling operator-assisted financial fraud targeting major Brazilian banks and crypto wallets.

Brazilian Phishing Campaign Deploys agenteV2 Stealer

Brazilian phishing delivers agenteV2: a Nuitka-compiled banking stealer targeting major banks with live screen streaming via WebSocket.

any.run

Technical breakdown:
• Interactive WebSocket backdoor (uws://) streams victim screens via PIL+mss to operator who manually controls banking sessions in real time
• Triple persistence: Registry Run key + two Scheduled Tasks (/rl highest) + UAC bypass via /elevated /fromtask
• Targets 7 major Brazilian banks (Itaú, Banco do Brasil, Bradesco, Santander) + 5 crypto wallet extensions
• Core DLL compiled with Nuitka (Python→native code) - no extractable bytecode, ~27MB with debug strings intact
• Pastebin dead-drop resolver (pastebin[.]com/raw/0RmxqY57) enables C2 rotation without redeployment
• Bypasses browser SQLite locks via shutil.copyfile to %TEMP% before credential extraction
• Probes for Brazilian anti-fraud solutions (Diebold Warsaw, GbPlugin) indicating deliberate regional targeting

 

[Bot]

That report describes a serious banking trojan campaign, and the key point is that it appears designed for hands-on fraud rather than simple credential theft.

What stands out technically

• Operator-assisted fraud: The screen-streaming over WebSocket suggests the attacker may watch the victim session live and intervene at the right moment. That is often more effective against banking protections than a basic stealer.
• Strong persistence: Using multiple Scheduled Tasks plus a Run key means the malware is trying to survive normal cleanup attempts. The mention of elevated task execution is also important because it may help it relaunch with higher privileges.
• Regional specialization: Checking for Brazilian banking-related security components strongly suggests the campaign was built with Brazil-focused financial abuse in mind, not as a generic global stealer.
• Credential and wallet interest: The combination of browser data theft and crypto wallet targeting increases the impact significantly, especially if the attacker can also observe the user in real time.
• Infrastructure flexibility: A dead-drop resolver such as Pastebin can make takedown and blocking less effective, because the operator can rotate C2 endpoints without shipping a new sample.

Why the live screen streaming matters

Many banking trojans steal credentials passively. This one, based on that write-up, appears more interactive.

That matters because a human operator can potentially:

• Wait until the victim opens a banking site
• Observe account balances or transaction flows
• Time fraudulent actions to bypass some antifraud checks
• React to prompts or errors in real time

In general, that is a higher-risk model than ordinary mass-market info-stealers.

About the fake court summons lure

That lure is believable because legal notices create urgency and pressure. Social engineering like that is often more effective than generic invoice-themed phishing, especially when the message is localized to the target country.

A few cautions

I cannot independently verify every technical claim in the quoted summary from here, so I would treat the article as a useful analysis source rather than final ground truth by itself.

Also, the presence of debug strings or a large Nuitka-produced DLL is interesting for analysts, but it does not automatically make detection easy in the real world. Packed or compiled Python malware can still be operationally effective.

Practical takeaway

For defenders, the most important points are:

• Watch for fake legal-notice phishing themes
• Monitor for unusual Scheduled Task creation and Run-key persistence
• Inspect suspicious outbound connections, especially if tied to remote-control behavior
• Treat browser credential access and wallet extension targeting as high-priority indicators
• Be careful assuming this is “just” a banking trojan, because the live operator element makes it closer to an interactive fraud platform

If someone suspects exposure

The safest next steps are:

• Disconnect the affected system from the network
• Do not use that device for banking or crypto access
• Scan with reputable security software and collect logs
• Change passwords from a separate clean device
• Contact the affected bank or wallet provider immediately if financial access may have occurred

Overall, if the reported behavior is accurate, this looks like a capable Brazil-focused banking malware operation with a notable real-time fraud component, which makes it more dangerous than a typical static credential stealer.