October 2, 2023

Researchers have spotted a new attack campaign that used BlotchyQuasar RAT to target Latin Americans.

The campaign was first detected in late April and continued through May. The RAT was believed to be developed by the Hive0129 cybercriminal group and distributed by phishing emails.

This campaign was seen impersonating government agencies in Latin America. The email informed the recipients of their tax status and prompted them to click on a link within the email.


The link was geofenced using a link generated with the Geo Targetly service. Once the victim clicked on it, it caused the download of a password-protected archived LHA file. Upon decrypting the archive file, a .NET malware loader identified as RoboSki would be downloaded onto the victim’s system. 

This RoboSki loader ultimately led to the deployment of BlotchyQuasar RAT in the final stage of the infection chain.

The RoboSki loader was not only used by the Hive0129 group, but was also leveraged by other low-profile threat actors to deploy various RATs and stealers, such as AgentTesla, FormBook, or LokiBot, via phishing emails.

BlotchyQuasar RAT used in the campaign is under active development and has been in the wild for more than two years targeting personal and enterprise applications used for financial transactions in the most popular banks in Latin America, specifically Colombia, Ecuador, and Bolivia. 


As the malware variant continued to evolve, several features were found overlapping with malware called ProyectoRAT, reported in 2019, targeting users in Latin America. The most recent addition included the Google Chrome Kiosk feature, which was likely added earlier this year.

This campaign highlights Hive0129’s continued trend of increasingly frequent and sophisticated malicious cyber activity targeting the Latin American region. Hive0129 continues to improve their toolset, including both open-source and custom tools, and are employing more complex attack chains and sophisticated techniques.

Researchers assesses that it is highly likely that Hive0129 will continue to enhance their tools and continue to conduct phishing operations within the Latin America region.

This research was documented by researchers from IBM X-Force

Indicators of Compromise

  • ecc4f23a3e3b6021f952d1c715739ced6997882ad023fa0d8eeedb87a55993e5
  • dc71d0f6cd67a4a5d606efdf0fe8ab734f73784516fe4e5b8ea5e69b6d130375
  • ecuadorlab[.]work[.]gd:9058

Leave a Reply

%d bloggers like this: