Byakugan – The Malware Behind a Phishing Attack

FortiGuard Labs analyzed a Portuguese PDF campaign that distributes the Byakugan infostealer: a Node.js-packed malware delivered via a downloader and DLL-hijacking that installs in %APPDATA%/ChromeApplication and performs screen monitoring/capture, steals browser cookies, credit cards and profiles, injects cookies, and implements persistence and anti-analysis measures. The report includes C2 domains (thinkforce.com.br, blamefade.com.br), GitHub repositories, file hashes, Fortinet detection names, and recommended protections.