Threat actors from Mexico, are working extremely hard in targeting banks in Mexico, using android based malware.  It is said that the attack which has been on a global campaign, is majorly focusing on banks based in Spain and Chile.


Image source: thehackernews

The attack which occurred between June 2021 to April 2023, is attributed to a threat actor whose code name is Neo_Net.  According to malware research by SentinelOne and vx-underground the tool which is unsophisticated has been able to achieve a high success rate, while specifically targeting specific audience using their infrastructure resulting to a theft of over 350,000 EUR, from their successful victim’s bank accounts, and compromising the confidentiality of Personal Identifiable Information (PII) of thousands of victims.

It is noted that the TTP (Tactics Techniques and Procedures) employed by the threat actors, involves a multi-stage with the first step involving a SMS phishing messages massively distributed across Spain and other countries. This is achieved by using Sender IDs (SIDs) to create an illegitimate authenticity impersonating known financial institutions to scam their victims.

According to SentinelOne:

 “Neo_Net who acquired the services of various hacking tools and infrastructure which includes phishing panels, and Android trojans, multiple affiliates, sold compromised victim data to third parties, and launched a successful smishing-as-a-Service offering targeting various countries worldwide.”

It was discovered that major banks such Santander, BBVA and Caixa Bank were their major hits both in Spain and Chile.  Affected banks in other region includes Deustche Bank, Credit Agricole and ING.


SMS messages received by the victims employed various strategies which involves a false claim that the victim bank account, has been compromised, and other tactics involve messages that claims the victims credit card has been temporarily limited as a result of security concerns.

The message which also contains a malicious link, is said to be embedded in the SMS message sent by the attacker, this link contains a false phishing page that belongs to the threat actor and is linked to his panels (Neo_Net).

Multiple defence mechanism where employed, that blocks request from non-mobile user agents, and ensuring the phishing pages were FUD (fully undetected) by bots and network scanners. The phishing pages were exact clones of legitimate banking application, making it difficult to distinguish from the actual trusted bank application.

Upon successful submission of private data and information by the victim thinking it was the banks legitimate app, the credentials are transported to the hacker’s server, which in turn exports it to a bot channel created on telegram by the attacker using the Telegram BOT API.  Credentials such as username, password, name, telephone numbers, victim’s user agent (e.g., browsers such as Mozilla or chrome), and the victims ip address.

Furthermore, the threat actor progress in successfully bypassing MFA (Multi-factor-authentication), mechanisms commonly employed by banking applications. Steps such as tricking the victim to installing a malicious application (claimed to be for security purposes by the attacker).

With the application installed, the app then request victim to grant security permission to allow the application to send and view SMS.  The app which is an android trojan mimics the publicly available android SMS spyware known as SMS Eye.  The trojan which is now made FUD using public packers in order to bypass detection by antiviruses and anti-malware applications.

The malicious application secretly transmits the incoming SMS to a separate dedicated telegram chat setup by the attacker. This SMS is the actual MFA, that is sent to the victim by their legitimate bank, which the attacker is accessing using the credentials they obtained from the phishing link sent to the victim.

Other methods involve the attacker calling the victim claiming to be a representative of the bank, while luring the victim into either installing the malicious application or even giving out the OTP sent to their phone.


The threat actor responsible for the attack, goes by the name NEO NET who has been gaining prominence in the cybersecurity space since 2021.  He has been linked to certain Spanish forums such as

It should also be noted that his major creation is an SMS smishing-as-a-service, by the name Ankarex, and has been active since May 2022, with its telegram channel having over 1700 subscribers sharing updates about his software and as well giveaways.

The smishing service which provides its users the flexibility to upload funds by using cryptocurrency, and also launch their own smishing campaigns by specifying the message content and their target phone number.  The service is able to send messages to over 9-country regions.

Neo_Net also offers additional services such as leads, that includes victims’ names, email addresses, IBAN’s (international Bank Account Number), and phone number for a fee, on the Ankarex telegram channel.

Numerous IP addresses has been tracked back to him which pinpoints his location emerging from Mexico. The primary location which he operates in are Spanish speaking countries, and communication on the telegram channel is also noted to be conducted in Spanish.

Other non-Spanish speaking members noted to be collaborating with Neo_Net via his telegram channel is a user identified with the ID devilteam666. The mode of operation for this particular tactic involves the use of Google Ads targeting  crypto owned wallets by persons, and also devilteam666 offers Google Ads services on his Telegram channel.




Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments