Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: brazil (2 articles)Clear

Malicious 'Sicoob.Sdk' NuGet steals Brazilian banking PFX certificates via hardcoded Sentry endpoint - amplified by Google Search AI Mode

Socket has flagged a malicious NuGet package, Sicoob.Sdk (versions 2.0.0-2.0.4), that masquerades as a C# SDK for Sicoob, one of Brazil's largest cooperative financial systems, and steals PFX certificates used to authenticate businesses with Sicoob's banking APIs. When a developer instantiates SicoobClient, the package reads the PFX file from disk, Base64-encodes it, and exfiltrates the client ID, PFX password, and encoded certificate to a hardcoded third-party Sentry endpoint. It also captures raw Boleto API responses. The package was downloaded ~500 times and the publisher has 11 other NuGet packages with ~6,000 combined downloads. Google Search AI Mode reportedly amplified the package as legitimate.

Check
Inventory C# projects for Sicoob.Sdk versions 2.0.0-2.0.4 and the publisher's 11 other packages. Search outbound traffic to the attacker Sentry endpoint identified in Socket's IoCs.
Affected
C# developers integrating with Sicoob banking APIs in Brazil. Any project that pulled Sicoob.Sdk via NuGet had PFX certificates, client IDs, and Boleto data harvested.
Fix
Remove all 12 affected NuGet packages and rotate every Sicoob PFX certificate and client credential reachable from affected hosts. Verify NuGet package signatures match expected GitHub source going forward.

New 'TCLBanker' Android malware spreads itself by hijacking WhatsApp and Outlook to message every contact in the victim's address book

Researchers disclosed TCLBANKER, an Android banking trojan that adds worm-style self-propagation: once installed, it abuses Accessibility Services to read the victim's WhatsApp and Outlook contact lists and then send malicious download links to every contact as if from the victim. The malware targets banking and crypto-wallet apps with overlay screens that capture credentials, plus SMS-interception modules that grab one-time passcodes. Self-spreading via the victim's own messaging history defeats traditional URL-reputation controls. The campaign concentrates in Brazil, Spain, and Italy banking apps initially. Operators are renting access on Telegram for $1,500-3,000/month.

Check
Brief staff who manage Android devices that any 'app download' link sent through WhatsApp or Outlook from a known contact during business hours should be verified out-of-band before clicking. Review unfamiliar Android apps requesting Accessibility Services.
Affected
Android users in Brazil, Spain, and Italy initially - but worm-style spread will broaden the geography rapidly. Acute risk: anyone whose phone has Accessibility Services enabled for any third-party app. Banking and cryptocurrency app users face credential theft via overlay attacks. Contact networks of infected users get the lures next.
Fix
On managed Android devices: enforce MDM policies that block sideloading and require approval for any app requesting Accessibility Services. Disable Accessibility Services for apps that don't genuinely need it. Brief staff on the worm-spread pattern: contacts sending links to download apps is a hostile signal regardless of who the sender is.