New Threat Actor Targets Spanish Speaking Victims With Rare Bandook Malware

New Threat Actor Targets Spanish Speaking Victims With Rare Bandook Malware

A new hacker group, which Proofpoint researchers refer to as Caliente Bandits and TA2721, is a new and highly active threat group that has targeted various industries, including finance to entertainment.

The campaigns are low-volume and targeted at individuals with Spanish names. The group uses lures in Spanish-language when distributing a rare version of a remote access trojan (RAT) known as Bandook. Proofpoint started tracking this group in January 2021. They have observed it distributing Bandook email threats every week since April.

This campaign uses the same budget or payment-themed lures over and over to trick users into downloading a PDF. The attached PDF contains a URL and a password that leads to the downloading of a password-protected archive containing Bandook.

In 2021, TA2721 sent out such emails to fewer than 100 organizations, Proofpoint says. This list included establishments in the US, Europe, South America, and the U.S. These attacks were mainly focused on individuals with Spanish last names, such as Pérez, Castillo, Ortiz, etc.

This actor distributed two variants of Bandook, which is commodity malware, but researchers observed the actor using detection evasion tactics, such as password-protection of the malicious archive.

Most of the time, the threat actor would send out links to the Bandook download from Hotmail or Gmail email addresses. The subject lines and names of the emails usually contain terms such as “PRESUPUESTO” and “COTIZACION”. But in one June campaign, the actor used direct messages to spread URLs.

Researchers noted that the URLs they observed from January to June 2021 used shortened versions URLs from and These redirected to a legitimate file hosting website, spideroak[.]com, to download a fraudulent RAR file.

Bandook is a commercially available remote access technology (RAT) written in Delphi, observed in the wild since 2007. It can be used to capture and record audio and video, perform keylogging, and information theft.

Despite its age and availability, Proofpoint has not observed any other threat actors using Bandook. In fact, since 2015, no more than 40 campaigns have distributed this malware.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.