Back

AI-Driven Cyber Attacks Target Latin American Governments and Financial Sectors

Severity: High (Score: 70.5)

Sources: Trendmicro, github.com

Summary

Trendmicro's TrendAI™ Research has identified two AI-augmented threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, targeting government and financial organizations in Latin America. These campaigns began in late 2025, with SHADOW-AETHER-040 compromising six government entities in Mexico from December 27, 2025, to January 4, 2026. The attackers utilized agentic AI to facilitate the full cyber kill chain, leading to significant data exfiltration. A command-and-control server was discovered with exposed operational details, including interactions between the threat actors and their AI agents. A related campaign, SHADOW-AETHER-064, has been observed targeting financial organizations in Brazil, sharing similar tactics and tools. This marks a concerning trend of AI-assisted attacks becoming more prevalent among threat actors in the region. Key Points: • Two AI-driven campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, are targeting Latin America. • SHADOW-AETHER-040 compromised six Mexican government entities between December 27, 2025, and January 4, 2026. • Both campaigns exhibit similar tactics, indicating a growing trend of AI-assisted cyber attacks.

Key Entities

  • Data Breach (attack_type)
  • Malware (attack_type)
  • Shadow-aether-040 (campaign)
  • Shadow-aether-064 (campaign)
  • Brazil (country)
  • Mexico (country)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-269 - Improper Privilege Management (cwe)
  • Cwe-362 - Race Condition (cwe)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • cloudservbr.com (domain)
  • infra-telemetry.com (domain)
  • Aviation (industry)
  • Financial (industry)
  • Government (industry)
  • Retail (industry)
  • 155.133.27.198 (ipv4)
  • 159.65.202.204 (ipv4)
  • 165.22.184.26 (ipv4)
  • 167.148.195.53 (ipv4)
  • 167.172.38.123 (ipv4)
  • Implante_http (malware)
  • Neo-reGeorg (malware)
  • Chisel (malware)
  • T1021.004 - SSH (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1068 - Exploitation for Privilege Escalation (mitre_attack)
  • JBoss AS (platform)
  • Windows (platform)
  • Anthropic's Claude (platform)
  • CrackMapExec (tool)
  • Impacket (tool)
  • ProxyChains (tool)
  • PyInstaller (tool)
  • Shodan (tool)
  • Dirty Cow (vulnerability)
  • PwnKit (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed