PLUMP SPIDER

Plump Spider is a financially motivated threat group associated with campaigns targeting Latin America, particularly Brazil. CrowdStrike identified Plump Spider as one of six major financially motivated operators either based in Latin America or primarily focused on targets in the region. Supporting content states the group has a history of financially motivated campaigns abusing government-themed domains and fake .gov.br structures to target Brazilian victims. In the referenced investigation, infrastructure overlap, hosting patterns, and recurring TTPs were assessed as a strong indicator of an operational link between a Brazilian infostealer campaign and Plump Spider. That campaign abused a legitimate Goiás government subdomain and a fake Amapá-themed URL path to distribute a Delphi-based executable, Certificado_PCAP.exe, packaged with Inno Setup. The malware chain established persistence, stole browser credentials, cookies, and session tokens, logged keystrokes, monitored user activity, and communicated with command-and-control infrastructure over HTTPS while disabling certificate validation. A secondary Electron-based component disguised as Boost Note used polling-based tasking, victim ID generation, POST-based exfiltration, and persistence via Windows Run keys and Electron login item settings. The same campaign also involved publicly accessible malicious JavaScript web stealers hosted on related infrastructure. These scripts exfiltrated URLs, cookies, form contents, localStorage, and sessionStorage, dynamically loaded additional payloads, and in one case implemented a full man-in-the-browser attack against Credifit administrative systems by intercepting traffic to admin.credifit.com.br and related APIs while exfiltrating captured data to attacker-controlled endpoints. Investigators also identified attacker infrastructure including kapa.is, kak.is, Webhook.site, and an exposed "Forever v1.0" administrative panel used to manage infected clients and push tasks. Part of the infrastructure was allocated to Master da Web Datacenter, a Brazilian hosting provider previously identified in campaigns attributed to Plump Spider, specifically hosting fake pages in the name of Autbank. Plump Spider is also mentioned alongside other sophisticated eCrime groups observed leveraging advanced social engineering tactics.