TimbreStealer Malware Targets Mexico Companies with Advanced Evasion Techniques
ID: eb988289-3ca2-5fd4-93d0-edcf8ee820a4
STIX ID: report--eb988289-3ca2-5fd4-93d0-edcf8ee820a4
Feed Name: WatchGuard Secplicity Blog
WatchGuard telemetry identified a targeted TimbreStealer campaign delivering malicious ZIPs (hosted on DigitalOcean IPs) that side-load oversized malicious DLLs (msedgeupdate.dll/goopdate.dll) to execute a multi-stage, encrypted payload. The malware uses custom API resolution, RC4 decryption, direct syscalls, and geofencing (timezone and UI language checks) to evade analysis and restrict execution to Mexican targets; once active it harvests browser, email, cloud storage, and user directories. Defenders should monitor suspicious ZIP downloads, unusual DLL sizes/locations, unexpected updater behavior, browser database access, and activity tied to cloud-hosted payloads.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
