In what looks to be a huge phishing effort, cybergang TA558 is once again targeting government organizations and businesses in Latin America with the goal of installing the remote access malware Venom RAT.

The effort, which was first discovered by Perception Point threat researcher Idan Tarab, targets a wide range of sectors, including those in Spain, Mexico, the United States, Colombia, Portugal, Brazil, the Dominican Republic, and Argentina. While it's yet unclear whether any Latin American cryptocurrency company was compromised by a TA558-managed hack, Tarab emphasized the campaign's broad scope, which goes beyond lodging and tour operators to include finance, manufacturing, and industrial businesses.

Tarab claims that the most recent assault chain drops Venom RAT after using phishing emails as the main initial access method. This specific strain, which is a Quasar RAT clone, has features that allow it to remotely manage a machine and steal sensitive data, including passwords, images, bank details, and more.

Reportedly active since at least 2018, TA558 has a history of targeting organizations in the Latin American area and deploying a variety of malware, such as Loda RAT, Vjw0rm, and Revenge RAT.

Cybersecurity experts discovered a new phishing toolkit earlier this year called CryptoChameleon, which targets employees at the Federal Communications Commission as well as workers at cryptocurrency companies including Coinbase, Binance, Gemini, ShakePay, and Trezor.

According to Lookout experts, the attackers use advanced social engineering techniques and create believable single sign-on sites that imitate real ones from Okta, a cloud service provider, in order to authenticate. This multi-phase attack uses phone, SMS, and email phishing to force victims, mostly in the United States, to provide personal information and important credentials.