IBM is warning about UnregStealer, a banking trojan that hides behind a fake Chrome browser extension and a bogus SSL certificate update prompt to steal credentials from Latin American banks, with Brazilian banking portals specifically in the crosshairs, as detailed in IBM’s warning on the well-camouflaged bank malware.
- Targets: Latin American banks, especially Brazil
- Disguise: Fake Chrome extension and fake SSL update
- Steals: Passwords, OTPs, session cookies, account numbers
- Detection: Human-operated and hard to catch with sandboxes
IBM says the campaign is a classic piece of social engineering dressed up like a security warning. Victims are pushed toward installing an executable that claims their browser needs a mandatory SSL certificate update. That claim is fabricated. There is no special browser requirement here — just a convincing lie designed to get users to run malware themselves. No zero-day fireworks, no high-tech wizardry. Just an old-school con with better branding.
Once installed, UnregStealer watches for activity on a targeted banking site and captures data as it is entered. That includes login credentials, session cookies, one-time passwords, account numbers, and other privileged banking information. Session cookies are especially valuable because they can keep a user logged in; if an attacker steals one, they may not need the password at all. They can sometimes reuse the active session and walk right in like they belong there. Which, frankly, is a scammer’s dream and a user’s nightmare.
IBM senior threat researcher Itzhak Chimino described the malware as “well-camouflaged” and “nearly invisible” to cyber threat detection systems. That is not marketing fluff. The campaign is designed to stay quiet until a victim is actively using a targeted banking portal, then a real human operator manually decides when to trigger the theft. That human-in-the-loop setup matters because many security tools rely on automated testing environments, including sandboxes — controlled systems used to observe suspicious files. If the malware does nothing obvious unless a person is steering it in real time, those defenses may see very little at all.
“Based on the executable naming convention and delivery pattern, victims are most likely presented with what appears to be a security warning informing them that their browser requires a mandatory SSL certificate update…”
“The ‘certificate’ is entirely fabricated, and no such browser requirement exists. It is simply a convincing cover story to get the victim to run an executable.”
“This trojan involves a real operator, who watches each victim session live and pulls the trigger manually. This variation makes the campaign nearly invisible to sandboxes and behavioral detection systems that never see the payload activate.”
The design is sneaky, but it is also a reminder that a lot of cybercrime still depends on the oldest vulnerability in the book: the person at the keyboard. A fake browser update prompt is not sophisticated in the glamorous Hollywood sense, but it is effective because it borrows the language of legitimacy. SSL sounds technical. Chrome extension sounds routine. Security warning sounds urgent. Put those together and some victims will click first and think later. That’s the whole scam: weaponized trust, wrapped in jargon.
IBM also said the infrastructure patterns it observed suggest the operator may be able to expand beyond the targets confirmed so far. That matters because attack playbooks like this are reusable. If a fake SSL update prompt works in one market, it can be adapted for others with minimal effort. Cybercriminals are not known for their patriotic devotion to one region. If the hustle prints money, they’ll keep scaling it until someone burns the whole machine down.
For banks, this kind of threat is especially ugly because it targets the session itself, not just the password. Traditional security advice often focuses on strong passwords and multi-factor authentication, but OTPs can be stolen too, and session cookies can sidestep a password entirely. That means defenders need more than checkbox security theater. They need tighter session monitoring, anomaly detection, and better user education around fake update prompts and malicious browser extensions. Users, meanwhile, should treat any pop-up or downloaded file claiming to be a browser security update as suspicious until verified through official browser channels only. If a random page tells you Chrome needs a certificate update, that is not a helpful prompt. It is probably a trap.
The bigger takeaway is blunt: browser-based credential theft is still one of the easiest ways for criminals to get paid. Not because the tools are magical, but because people are busy, distracted, and trained to trust security-looking messages. That is exactly why campaigns like UnregStealer keep working. They do not need to outgun the entire security stack. They just need one person to take the bait.
- What is UnregStealer?
A banking trojan that steals financial login data and session information while pretending to be a browser-related security component. - How does it infect victims?
By posing as a Chrome browser extension and a fake SSL certificate update prompt that tricks users into running an executable. - What information does it steal?
Login credentials, session cookies, passwords, one-time passwords, account numbers, and other sensitive banking data. - Why is it hard to detect?
A human operator manually triggers the attack only when the victim is on a targeted banking site, which helps it evade sandboxes and behavioral detection systems. - Which region is being targeted?
Latin America, with Brazilian banking portals specifically mentioned by IBM. - Could this campaign spread further?
Yes. IBM says the infrastructure suggests the operator may have both the capability and motivation to expand beyond the confirmed targets.
Related: XRP Ledger Dev Wietse Wind Warns of Fake ‘Passes’ Scam Targeting Wallets
