Cyberattacks in San Juan:
two companies lose over $200 million to Trojan virus
n recent hours, two companies in San Juan have fallen victim to cyberattacks with alarming consequences: over 200 million pesos were stolen through Trojan type malware, a technique increasingly common in the world of cybercrime.
The affected firms, the distributor Rafael Moreno and the El Castaño clinic, suffered virtual thefts using a similar method, and all indications suggest they may be part of the same criminal network. The Cybercrime Prosecutor’s Unit is already investigating the cases.
¿How did the attack work?
In both cases, the attack began with the infection of the system through a malicious file, likely received via email. Once opened, the file installed a Trojan: a virus that remains hidden until it detects an active banking session.
When one of the users logged into the company’s bank account, the virus activated, froze the computer’s keyboard and mouse, and executed an automated script that transferred the funds to newly created bank accounts. The entire process lasted just a few minutes and occurred without direct human intervention, demonstrating the high level of automation and sophistication of these types of attacks.
In Rafael Moreno’s case, the loss exceeded $100 million. At El Castaño Clinic, the same thing happened, with a similar amount. In both cases, the banks were able to partially freeze the transfers, recovering around $40 million before the funds were fully withdrawn.
A repeating pattern
This type of scheme is not new, but it is on the rise. According to authorities, Trojan viruses are installed through PDF files, images, or other attachments that, once opened, trigger the infection process. The Trojan remains dormant until it detects access to banking platforms, at which point it initiates a series of actions that are nearly impossible to stop.
What’s most concerning is that the stolen funds don’t end up in easily traceable accounts. Instead, they are divided among multiple intermediary accounts, many of which are registered under the names of young individuals or foreigners with no connection to each other. Eventually, the money often ends up converted into cryptocurrency, where traceability becomes virtually nonexistent.
¿What now? The challenge of investigating this type of crime
As stated by prosecutor Pablo Martín, who is leading the case, most of these attacks do not originate within the country, which makes it difficult to act quickly. Added to this is the use of false or stolen identities, mule accounts, and decentralized value exchange platforms.
The Public Prosecutor’s Office pointed out that the banks’ systems failed to issue early alerts and emphasized the urgent need for stronger measures, such as temporary holds on suspicious transactions, to give institutions time to verify movements before they are completed.
Authorities also stressed the importance of companies raising their cybersecurity standards, especially those that handle large amounts of money or sensitive information. Simple actions like avoiding opening files from unknown emails or using dedicated computers for financial operations can make a big difference.
¿What can we learn from this?
The incidents in San Juan are not isolated cases. They are a new warning sign for the Argentine business ecosystem, which often underestimates digital risks or lacks the resources to implement preventive solutions.
Investing in cybersecurity is an operational necessity. Today, the economic, reputational, and legal damage caused by a cyberattack far outweighs the cost of preventing it.
Moreover, these types of crimes highlight that security cannot rely solely on banks. It is a shared responsibility between the financial sector, the government, and every organization that uses digital systems for management or payments.
An urgent agenda for the private sector
In a context where more and more companies are shifting toward digitalization and remote work, securing access, monitoring abnormal behavior, and training teams in cybersecurity best practices is no longer optional. It’s strategic.
This time, San Juan was the epicenter of a case that could easily be repeated anywhere in the country. That’s why it’s essential to stop viewing these incidents as isolated exceptions and start understanding them as part of a real and ongoing threat, one that demands a structural response.
TU SEGURIDAD
EN BUENAS MANOS
Bundles
Información
¿Tienes alguna duda sobre los servicios? ¡Llámanos!
Heimdall Agency copyright © 2024. Todos los derechos reservados
The largest cyberattack on Brazil's financial system.
¿Lessons for the entire region?
In just two and a half hours, Brazil’s financial system suffered the most serious cyberattack in its history. Over 148 million dollars were stolen through a meticulous operation carried out using legitimate credentials obtained illegally. The target was C&M Software, a company authorized by the Central Bank to connect fintechs and smaller banks with the core infrastructure of the national banking system.
The attack directly affected reserve accounts — funds that financial institutions hold at the Central Bank to ensure liquidity and operate with government bonds or loans. Among the impacted entities are BMP, Banco Paulista, and Credsystem, though a full list has yet to be confirmed. Only BMP has reported a loss of nearly 100 million dollars.
A weak link: the real point of entry
What stands out the most is not the direct access to Central Bank systems, but rather the exploitation of a weaker link in the chain: an external provider. This was a classic supply chain attack. The attackers did not breach the main target directly — instead, they used a third party’s infrastructure (C&M Software) to gain access to the systems.
Access was obtained through credentials provided by a company employee, João Nazareno Roque, who admitted to receiving just a few thousand reais in exchange for granting entry and explaining how to navigate the system.
This incident reveals not only a technical flaw, but also a serious human vulnerability: manipulation, social engineering, and the lack of internal controls over privileged access.
From Fraud to Laundering in Minutes
The hackers used the credentials to carry out fraudulent transactions, many of which were quickly converted into cryptocurrency, making them extremely difficult to trace. According to experts, the level of sophistication involved suggests the possible participation of both local criminal groups and international networks specialized in banking fraud.
The Central Bank responded by temporarily suspending access for institutions connected to C&M — a measure aimed at containing the immediate impact. However, the incident had already triggered a loss of trust and raised alarms across the entire region.
¿What went wrong, and what needs to change?
Cybersecurity experts agree that this incident reveals a structural weakness in the financial system:
The rapid digitalization of the sector has not been matched by an equally fast security architecture.
The reliance on third parties to manage critical infrastructure exposes institutions to new risk vectors.
The traditional perimeter-based security model is no longer sufficient: access segmentation, multi-factor authentication, and continuous monitoring must be mandatory, not optional.
According to Fred Amaral, director of an open banking fintech, “Security isn’t solved by building more walls — it requires rethinking the entire model from the core.” He also argues that the Central Bank should take on a more active role, not only as a regulator, but also as a technology operator and central point of defense.
A Regional Wake-Up Call
Although this case occurred in Brazil, its impact goes beyond borders. Any country with digitalized financial structures, expanding fintechs, or outsourced technology services should take note. The risk of a similar attack is always present, and resilience depends on prevention, architecture, and cooperation.
The adoption of international security standards, the establishment of stronger CSIRTs, intelligence sharing with other countries, and sustained investment in cybersecurity culture are urgent steps.
¿What does this attack leave behind?"
Beyond the economic and reputational damage, this attack leaves several key lessons:
It’s not just about protecting the “big players,” but securing the entire chain.
Digital trust is as critical as the infrastructure itself.
And most importantly: cybersecurity is no longer just a technical issue — it’s a strategic priority for every actor in the financial system.
TU SEGURIDAD
EN BUENAS MANOS
Bundles
Información
¿Tienes alguna duda sobre los servicios? ¡Llámanos!
Heimdall Agency copyright © 2024. Todos los derechos reservados
Google Patches Actively Exploited Chrome Zero-Day:
CVE-2025-5419
Google has once again responded to an active exploitation in the wild with the release of an emergency security update for its Chrome browser. The newly disclosed vulnerability, CVE-2025-5419, marks the third zero-day patched in Chrome this year, continuing a troubling trend of high-impact flaws being leveraged by threat actors in real-world attacks.
¿What happened?
CVE-2025-5419 is a high-severity vulnerability caused by an out-of-bounds read/write condition in Chrome’s JavaScript engine, V8. The flaw allows attackers to access memory areas they shouldn’t, potentially leading to code execution or browser compromise.
The issue was reported by Clément Lecigne and Benoît Sevens from Google’s Threat Analysis Group, who have a history of identifying zero-days under active exploitation. Within 24 hours of discovery, Google mitigated the issue with a configuration change across Chrome’s stable channels.
A full patch was released shortly after via Chrome version 137.0.7151.68/.69 for Windows and Mac, and 137.0.7151.68 for Linux. These updates will roll out to all users over the coming weeks.
¿Why is it important?
Google confirmed that this vulnerability was already being actively exploited in the wild, although specific attack details are being withheld until more users receive the update. This is a standard policy designed to protect users while the patch propagates.
This zero-day follows two others discovered earlier this year:
- CVE-2025-2783, used in espionage campaigns targeting Russian media and government sectors
- Another critical flaw patched in May that enabled account takeovers via Chrome
These incidents highlight how modern threat actors are leveraging browser-level vulnerabilities not just for data theft, but for espionage, privilege escalation, and credential harvesting.
¿¿What should you do?
If your organization uses Chrome, immediate action is recommended. Even though Chrome auto-updates on most systems, enterprises should ensure deployment through managed environments is completed without delay.
Recommended actions
- Update Chrome immediately to version 137.0.7151.68/.69 or later
- Monitor system logs for signs of suspicious browser behavior
- Apply update policies centrally for endpoint consistency
- Review patch cycles for web browsers across your environment
Why Zero-Days in Browsers Matter
Browsers are high-value targets for threat actors because they are used daily to access corporate apps, email, and cloud services. Any flaw in this layer is a potential entry point for lateral movement or remote command execution.
When zero-days are actively exploited, there is often a short window between discovery and widespread impact. That gap is when proactive monitoring and tight patch governance make a difference.
Consider
CVE-2025-5419 is not the last zero-day we’ll see this year, but it is another clear reminder that browser security cannot be an afterthought. Organizations need robust patching strategies, vulnerability detection capabilities, and endpoint security processes in place—especially as attackers shift focus to client-side attack surfaces.
If your organization lacks the resources to track, patch, and defend against these threats, outsourcing your browser and endpoint protection may be the most effective path forward.
We help businesses stay ahead of zero-day risks with tailored cybersecurity outsourcing, patch monitoring, and endpoint defense. Let’s discuss how we can help you reduce exposure before the next exploit hits.
TU SEGURIDAD
EN BUENAS MANOS
Bundles
Información
¿Tienes alguna duda sobre los servicios? ¡Llámanos!
Heimdall Agency copyright © 2024. Todos los derechos reservados
The Most Sophisticated Cyber Threats of 2025
In cybersecurity, standing still means falling behind. And if 2025 has made anything clear, it’s that cybercriminals have no intention of slowing down their evolution. Today’s threats are nothing like those of just a few years ago now we’re facing highly targeted, automated attacks powered by artificial intelligence and, in some cases, with real-world, physical consequences. Yes, physical.
Here’s a look at the most sophisticated trends we’re seeing this year and why your organization needs to start taking action right now.
The Specialization of Cybercrime-as-a-Service (CaaS)
Instead of continuing to sell “all-in-one” attack packages, criminal groups have begun to specialize by segment. Today, there are cybercriminals solely focused on developing next-generation phishing kits, while others specialize in bypassing authentication systems or automating data collection through social media. This level of technical focus enables attacks that are faster, more precise, and much harder to detect.
We’re no longer talking about amateurs downloading malware from forums we’re talking about well-organized development teams with defined roles and even technical support for their clients on the Dark Web.
The Target Is in the Cloud: The Ongoing Underestimated Risk
Although many companies have already migrated to cloud environments, few truly understand the level of exposure this brings. The use of multiple providers, poorly managed configurations, and a false sense of security are making the cloud an increasingly attractive target.
This year, attackers are exploiting specific vulnerabilities in cloud platforms to infiltrate entire networks jumping between misconfigured services or abusing APIs lacking strict controls. And it’s not just Amazon, Google, or Microsoft in their sights smaller providers are also being targeted, often flying under the security radar.
Automation + AI = Faster, Cheaper, and More Damaging Attacks
Artificial intelligence is no longer just for the good guys. Criminals are using it to:
Analyze social media profiles and personalize phishing emails at massive scale.
Generate adaptive payloads that change to evade antivirus software and firewalls.
Launch automated DDoS campaigns that detect vulnerabilities in real time.
All of this is fueling the black market for Cybercrime-as-a-Service (CaaS), where you can buy a “phishing kit” that sets up a full campaign in minutes—with AI-generated messages, shortened links, and even click reports.
Physical Threats and Organized Crime: When Cyberattacks Cross the Digital Boundary
This year, we witnessed something that once seemed unimaginable: the convergence of cyberattacks and real-world threats.
Documented cases reveal physical intimidation of employees and executives, especially in companies handling sensitive information. But there’s more—organized crime groups are collaborating with hackers to launder money, traffic data, and facilitate complex criminal operations such as human trafficking and the smuggling of illegal substances.
This creates an entirely new scenario where cybersecurity is linked not only to systems but also to the personal and operational security of organizations.
Real Cases from 2025: What’s Happening Right Now
If you thought this was just theory, here are some of the attacks that have already made headlines this year:
Meta confirmed a spyware attack on WhatsApp that targeted journalists and activists.
Credentials from the U.S. Department of Defense were leaked, including active cookies that could bypass MFA.
A misconfiguration exposed 2.7 billion IoT records belonging to the company Mars Hydro.
HCRG Care Group, a UK healthcare provider, was hit by ransomware, with 2.275 TB of data stolen.
A critical vulnerability in Trimble Cityworks is being actively exploited and requires an urgent patch.
DISA Global Solutions suffered a breach compromising over 3.3 million individuals.
Palo Alto Networks admitted that one of its most popular firewalls was exploited using multiple chained CVEs.
GrubHub was compromised through a third-party vendor, exposing sensitive information of customers and drivers.
The Lazarus Group, linked to North Korea, remains active and uses LinkedIn to steal credentials via fake job offers.
¿What can we do as a community?
In the face of this landscape, having a good firewall is no longer enough. The key lies in collective resilience. Initiatives like the Cybercrime Atlas by the World Economic Forum, which brings together businesses, governments, and private organizations, are a clear example of the way forward.
Moreover, it is vital that within companies, security is understood not just as the IT team’s responsibility. Every employee must receive training, understand the risks, and know how to respond in the event of an incident.
And, of course, governments and software manufacturers must step up—promoting secure practices from product design all the way to regulation of the digital ecosystem.
Keep going in 2025 with Heimdall
Cybercrime will continue to evolve—that’s unavoidable. But we can respond in a coordinated way, with shared intelligence, clear policies, and technology aligned to new threats. 2025 is making this clear: it’s no longer enough to just be protected, you have to be prepared.
Has your company already started down that path?
If your answer is “no,” let’s talk…
TU SEGURIDAD
EN BUENAS MANOS
Bundles
Información
¿Tienes alguna duda sobre los servicios? ¡Llámanos!
Heimdall Agency copyright © 2024. Todos los derechos reservados
SAP ALERT: CVE-2025-31324
Critically Exploited Vulnerability
A critical vulnerability in SAP NetWeaver Visual Composer, identified as CVE-2025-31324, is being exploited by multiple threat actors —including groups linked to BianLian and RansomEXX— to compromise SAP environments in organizations worldwide.
What does this vulnerability allow?
Arbitrary file upload without authentication, enabling remote code execution and full control of the affected system.
Risk level
CVSS 10.0 (maximum severity)
Visual Composer is not active by default, but it is widely used in real-world deployments.
Involved groups
- BianLian: activity linked to the executable rs64.exe and known C2 servers.
- RansomEXX / Storm-2460: use of backdoors like PipeMagic, advanced evasion techniques, and payload delivery via MSBuild
How do the attacks manifest?
Uploading webshells such as helper.jsp, cache.jsp, rrx.jsp, among others, to exposed system paths. The use of tools like Brute Ratel C2 and combined exploitation of other vulnerabilities such as CVE-2025-29824 has been observed
What actions should be taken?
- Apply the SAP patch immediately.
- Audit public directories and review .jsp, .java, and .class files.
- Strengthen your detection rules for suspicious post-exploitation behavior.
- Check network configurations, permissions, and outbound communications.
This vulnerability is already being exploited. It is not a hypothesis.
Do you need help protecting your SAP environment and managing critical updates like this?
We offer a specialized service in SAP security and continuous management of critical platforms. Our team can help you mitigate risks, apply patches securely, and monitor anomalous activity in your infrastructure in real time.
Contact us to implement an effective response strategy without compromising your operations.
TU SEGURIDAD
EN BUENAS MANOS
Bundles
Información
¿Tienes alguna duda sobre los servicios? ¡Llámanos!
Heimdall Agency copyright © 2024. Todos los derechos reservados