Date: 06/22/2026
Severity: Medium
Summary
Discovered by Trusteer in May 2026, UnregStealer is a bespoke, human-operated trojan campaign targeting financial institutions in Latin America (LATAM). Unlike typical LATAM banking trojans that use automated infection chains and compiled malware, UnregStealer relies on a live operator who monitors victim sessions in real time and deploys payloads manually. By bypassing the automated triggers that security systems look for, this hands-on approach makes the campaign exceptionally difficult for sandboxes and behavioral detection tools to spot.
Indicators of Compromise (IOC) List
Domains/URLs : | http://goingg.is http://kak.is http://goingg.is/urlzzz.php http://kak.is/urlzzz.php http://goingg.is/t.php http://goingg.is/te_3_la.js http://kak.is/pipiteimosa.extension.js http://kak.is/get_it.php http://xx.kak.is/_clkfx/lnk1.txt |
Hash : | 265bf18a532d4751918ca0564a3006dd3ad3ff9aa88fa588a41fb8013c6ad609
27a72e1f876fdbf9b15a568268bf6f7ba0e2900f1b70ca07df21c6de4137196b
371a173cb03d21d4f810eae883f8aca212eac30f92c66e4d37281fac06c92595
186ec4f73321629298f0b0ef14f306380d09f50e9abedd86bfe1fcbf4ca81afe
79bc49caeafa2d24617a7f82ca579d0a6c5fac230f42c3f39f9655f0fbda131a
15562fcafef15f60ec7d8565c1fc38e59c913895b1d9072100da8c5c6d6e0774
14c92156444da27d28035f1612a6d4bc01d08c16bba1603d5aac398a6a987f8d
|
Files : | certificado.exe / crtf.exe / cert.exe vvvv.cmd / help.bat pipiteimosa.extension.js |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http://xx.kak.is/_clkfx/lnk1.txt" or url like "http://xx.kak.is/_clkfx/lnk1.txt" or siteurl like "http://xx.kak.is/_clkfx/lnk1.txt" or domainname like "http://kak.is/pipiteimosa.extension.js" or url like "http://kak.is/pipiteimosa.extension.js" or siteurl like "http://kak.is/pipiteimosa.extension.js" or domainname like "http://kak.is" or url like "http://kak.is" or siteurl like "http://kak.is" or domainname like "http://kak.is/get_it.php" or url like "http://kak.is/get_it.php" or siteurl like "http://kak.is/get_it.php" or domainname like "http://goingg.is/urlzzz.php" or url like "http://goingg.is/urlzzz.php" or siteurl like "http://goingg.is/urlzzz.php" or domainname like "http://goingg.is" or url like "http://goingg.is" or siteurl like "http://goingg.is" or domainname like "http://goingg.is/te_3_la.js" or url like "http://goingg.is/te_3_la.js" or siteurl like "http://goingg.is/te_3_la.js" or domainname like "http://goingg.is/t.php" or url like "http://goingg.is/t.php" or siteurl like "http://goingg.is/t.php" or domainname like "http://kak.is/urlzzz.php" or url like "http://kak.is/urlzzz.php" or siteurl like "http://kak.is/urlzzz.php" |
Detection Query 2 : | sha256hash IN ("186ec4f73321629298f0b0ef14f306380d09f50e9abedd86bfe1fcbf4ca81afe","15562fcafef15f60ec7d8565c1fc38e59c913895b1d9072100da8c5c6d6e0774","14c92156444da27d28035f1612a6d4bc01d08c16bba1603d5aac398a6a987f8d","27a72e1f876fdbf9b15a568268bf6f7ba0e2900f1b70ca07df21c6de4137196b","371a173cb03d21d4f810eae883f8aca212eac30f92c66e4d37281fac06c92595","79bc49caeafa2d24617a7f82ca579d0a6c5fac230f42c3f39f9655f0fbda131a","265bf18a532d4751918ca0564a3006dd3ad3ff9aa88fa588a41fb8013c6ad609")
|
Detection Query 3 : | resourcename = "Windows Security" and eventtype = "4663" and objectname IN ("certificado.exe","crtf.exe","cert.exe","vvvv.cmd","help.bat","pipiteimosa.extension.js") |
Detection Query 4 : | technologygroup = "EDR" and objectname IN ("certificado.exe","crtf.exe","cert.exe","vvvv.cmd","help.bat","pipiteimosa.extension.js") |
Reference:
https://www.ibm.com/think/news/unregstealer-human-operated-browser-credential-theft-targeting-brazilian-banking