A Look Back: The Evolution of Latin American eCrime Malware in 2024

This report analyzes Kiron (Grandoreiro) banking trojan activity in 2024, documenting delivery via NestoLoader (JPHP), a shift from Delphi to a Rust-based downloader, embedded AES/XOR-encrypted payloads, DGA use, operator-specific prefixes (z and pkc) targeting financial institutions across Latin America and parts of Europe, new browser-stealer extension capabilities that exfiltrate cookies and email addresses, enhanced obfuscation (Base64+XOR+PRNG), and operational overlap with SAMBA SPIDER/Mispadu, providing multiple IOCs (domains, IPs, hardcoded keys) indicative of active, sophisticated eCrime campaigns.