logo

TimbreStealer Malware Targets Mexico Companies with Advanced Evasion Techniques

ID: eb988289-3ca2-5fd4-93d0-edcf8ee820a4

STIX ID: report--eb988289-3ca2-5fd4-93d0-edcf8ee820a4

Feed Name: WatchGuard Secplicity Blog

Threat Score
78/100

Date Published: 2026-07-02

Date Updated: 2026-07-03

Author: Euler Neto

...
...

WatchGuard telemetry identified a targeted TimbreStealer campaign delivering malicious ZIPs (hosted on DigitalOcean IPs) that side-load oversized malicious DLLs (msedgeupdate.dll/goopdate.dll) to execute a multi-stage, encrypted payload. The malware uses custom API resolution, RC4 decryption, direct syscalls, and geofencing (timezone and UI language checks) to evade analysis and restrict execution to Mexican targets; once active it harvests browser, email, cloud storage, and user directories. Defenders should monitor suspicious ZIP downloads, unusual DLL sizes/locations, unexpected updater behavior, browser database access, and activity tied to cloud-hosted payloads.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.