![johnk3r's tweet photo. For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000](https://pbs.twimg.com/media/HHwfSYvXgAIgy5Z.jpg)
![johnk3r's tweet photo. For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000](https://pbs.twimg.com/media/HHwe4joWwAA2fCB.png)
![johnk3r's tweet photo. For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000](https://pbs.twimg.com/media/HHwexp0XQAEnVaL.png)
Olivia
Online
Eder Machado
@edermachado
São Paulo
Joined July 2008
2.4K Following
341 Followers
4K Posts
For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000
![johnk3r's tweet photo. For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000](https://pbs.twimg.com/media/HHwg5lEWAAIwmhv.png)
Mr. Titus Tech is correct. cpuid-dot-com is indeed delivering malware right now.
As I began poking this with I stick I discovered this is not your typical run-of-the-mill malware. This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.
The C2 domain present in one of the binaries is a clear IoC. This is the same Threat Group who was masquerading FileZilla in early March, 2026. They've been busy.
Hello there 😍
@MobilidadeSampa interdição total Francisco Matarazzo antes do shopping West Plaza sentido centro.
2026 fit check 😮💨
First sounds of history.
Ford Racing Hypercar coming 2027.
You heard it here first. Our soundtrack for 2026 🔊
#F1
Thanks for the memories and the wins!
Farewell Honda 🫡
Thank you @HondaRacingGLB
Last dance with @MercedesAMGF1
Vitória brasileira: Fruto do esforço científico nacional, a Butantan-DV começou a ser desenvolvida em 2009, quando o Brasil enfrentava recordes de dengue. Foram 270 experimentos e 50 tentativas de formulação até chegar ao produto final. Saiba mais: https://t.co/Jq1CnueM1I
Max Verstappen’s Brazil pitlane start from Ocon’s onboard camera.
Ocon was like bro wait for me, but Max disappeared into the distance 😭
This shows exactly why Max’s SC restarts are so good.
Eu faria esse acordo é vc faria ?
@LDU_Oficial Noche Mágica de Copa
Terra e Lua passando em frente ao Sol. Filmagem de 14 de janeiro de 2005 a partir da sonda Huygens que estava próximo a Saturno.
EDITORIAL: Alguém tem vergonha na cara – Um promotor de Justiça aposentado recusou penduricalho de R$ 1,3 milhão e ainda foi ao STF para pedir que os atos que criam o benefício sejam declarados nulos, porque são ilegais e imorais 🔗 https://t.co/JaadRr1aFX 📸: Daniel Teixeira/Estadão
Last Seen Users on Sotwe
Peter and Tekky
Seen from Malaysia
Pornstar Gold
Seen from Turkey
Raw Leakz (18+ ONLY) 😈
Seen from United States
Beta Whiteboi
Seen from France
سالب فنانات 🌈🌈
Seen from Egypt
Porno Porna
Seen from Turkey
Gay ngon
Seen from Vietnam
آلـﹻﹻﹻﹻﹻﹻـجـﹻـوگـﹻﹻﹻﹻﹻﹻﹻر
Seen from Egypt
حمودي الحرازي الخاص مفتوح
Gumper88 
Seen from Thailand
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.3M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
87M followers
Taylor Swift
@taylorswift13
80.8M followers
Lady Gaga
@ladygaga
72.4M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
68.8M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.5M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.1M followers