🚨 THREAD | Threat Intelligence
We have identified KAIDO RAT v3.0, a sophisticated Remote Access Trojan variant with a strong focus on the Brazilian market, particularly the financial sector.
The threat uses a custom C2 framework, over 60 plugins, and an exclusive Brazilian banking suite.
Below, we detail its main observed capabilities.
Post 2/6
Web Panel and C2 Framework
•Headless server based on .NET 9
•“Lain” web panel featuring dashboard, client list, remote shell, and file manager
•HVNC with GPU capture support
•Remote Desktop + webcam streaming
•Integrated builder + KaidoKrypter (FUD)
•Loot browser isolated by operator and role
•Delivery methods: LNK Stomping, ClickFix, and HTML Smuggling
High operator usability with emphasis on persistence and controlled data exfiltration.
Post 3/6
Evasion Modules (10 modules)
The variant includes advanced bypass techniques:
•ETW Patch (5 functions) and patchless AMSI Bypass via VEH2
•Direct Syscalls (Hell’s Gate + Indirect)
•Sleep Obfuscation using XOR + PAGE_NOACCESS
•Stack Spoofing, Thread Pool Execution, and Callback Execution (6 methods)
•PPID Spoofing, API Hashing, and Anti-VM with 19 checks
Strong capability to evade modern EDR solutions and virtualized environments.
Post 4/6
Exclusive Brazilian Banking Suite (8 plugins)
This is the most relevant module of the threat:
•Real-time Bank Detector covering 28 Brazilian banks
•Fullscreen overlay with 19 banking themes
•PIX Clipper (supports CPF, CNPJ, email, EVP, and copy-paste)
•EMV QR Poisoner (rewrites QR Code and recalculates CRC16)
•PIX Ghost via UI Automation (no clipboard usage)
•Screen Locker (locks keyboard, mouse, and Task Manager)
•Selective keylogger that only activates inside banking windows
•Notification Silencer
Direct risk to the PIX ecosystem and Open Banking.
Post 5/6
Stealers, Reconnaissance and Post-Exploitation
Stealers (18 features): Cookies from 23 browsers, passwords, tokens (Discord, Telegram, Steam, Spotify), sessions (WAL lock bypass), NTLM hashes, in-memory LSASS dumping, crypto wallets (13 extensions + MetaMask), SSH/RDP/Cloud access, ICP-Brasil A1 certificates with private keys, and Open Banking access for 12 banks.
Reconnaissance (7 modules): Network Mapper, VPN Detector, Document Radar, Form Phantom CDP, DB Dumper (SQL Server + SQLite), Certificate Store Enumeration, and Crypto Memory Drainer.
Post-Exploitation (9 modules): EDR Killer v2.0 (no PowerShell/cmd), UAC Bypass (3 methods), LPE exploits including miniPlasma and CVE-2026-40369, Kerberoasting + AS-REP Roasting, COM Hijack persistence, and Process Hollowing.
Post 6/6
AI Targeting + Infrastructure + Recommendation
AI Targeting (5 modules): Credential harvesting targeting Anthropic, OpenAI, Gemini, xAI, and Groq. Implants via Claude CLI C2 (Discord/Telegram), MCP Hijack on Claude Desktop, Git Hook Implant, and Jupyter IPython Startup Hook.
Infrastructure: .NET 9 headless server, .NET 4.8 client, single DLL plugins (~7MB), AES-256-CBC crypter with native stub and ML evasion, 6-pass obfuscator, TLS-based C2 with MessagePack and jitter, Discord token + Pastebin fallback, and nginx + socat redirector.
Recommendation: Financial institutions, fintechs, and organizations handling PIX or ICP-Brasil should strengthen behavioral detection, review EDR policies, and monitor social engineering techniques such as ClickFix and HTML Smuggling.
We will continue monitoring the evolution of this threat.
#KAIDORAT #RAT #Malware #Cybersecurity #PIX #OpenBanking #ThreatIntelligence #InfoSec #Brazil
CapCut empezó siendo gratis
Luego pusieron transiciones básicas de pago.
Luego bloquearon resoluciones de exportación.
Luego añadieron marcas de agua.
Luego ByteDance empezó a usar tus videos para entrenar su IA.
Un grupo de devs se cabreó lo suficiente como para clonar todo el proyecto desde cero
Se llama OpenCut y tiene 45.8k estrellas en GitHub en menos de un año
✅ Edición con línea de tiempo y múltiples pistas
✅ Vista previa en tiempo real sin renderizar
✅ Sin marcas de agua en ninguna exportación, nunca
✅ Sin suscripciones ni funciones bloqueadas
✅ Funciona en web, escritorio y móvil
✅ Tus videos nunca salen de tu dispositivo
✅ Licencia MIT, nadie puede añadir un muro de pago
La parte más importante: al ser MIT si alguien intentara meter un paywall la comunidad lo forkea en 48 horas y lanza el mismo producto sin él
CapCut construyó su foso siendo gratis. OpenCut les acaba de quitar ese foso.
45.8k estrellas. 4.7k forks. 90+ colaboradores activos. MIT.
lo tienes abajo 👇
A high-risk illegal tool called Tela Caixa Física + Jurídica Operadora (Mobile & Desktop) is being openly marketed for R$ 2,000 per month.
Advertised features include: • Selective data harvesting of individuals (Pessoa Física — PF) and legal entities (Pessoa Jurídica — PJ)
• CPF + CNPJ APIs
• Operator commands for sending QR Codes and numerous other remote controls
• Complete dashboard with real-time metrics, statistics, and separation between physical and legal persons
• Ability to enable/disable specific data collection (only PF, only PJ, or both)
• Full command control (return to start, switch account types, module updates, and all tokens)
This solution is explicitly designed for mass unauthorized collection of personal and corporate data, social engineering, and banking fraud, constituting serious violations of Brazil’s LGPD (General Data Protection Law), the Penal Code (fraud and electronic fraud), and the Internet Civil Rights Framework.
The ad highlights “limited spots” and includes a demonstration video.
#CyberAlert #BankFraud #TelaCaixa #CyberCrime #LGPD #DataProtection #ReportFraud #CyberSecurity @Caixa
Introducing the new /crawl endpoint - one API call and an entire site crawled.
No scripts. No browser management. Just the content in HTML, Markdown, or JSON.
Então, aparentemente se você conectar todas as bases de dados abertas do Brasil, da para detectar corrupção com base no CPF de políticos
Construí um negócio e não sei o que fazer com isso, não tô querendo ir de vala
🚨BRUTAL | Influenciadora que costumava postar nas redes sociais frases dizendo gostar de homens perigosos, com ficha criminal e que a ameaçassem, acabou sendo executada a sangue frio por um ex-namorado em Florianópolis.
O Café com teu pai está alugando um triplex na cabeça das msol e feministas
Kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
🚨AGORA - Lula tenta justificar viagens de Janja e diz que ela não nasceu para ser dona de casa
“A mulher do presidente Lula não nasceu para ser dona de casa. Ela vai estar onde ela quiser, vai falar o que ela quiser e vai andar para onde ela quiser”
🚨VEJA - Javier Milei eliminou o financiamento público aos partidos políticos
Cada partido político deverá ser financiado com contribuições voluntárias de doadores ou afiliados políticos.