Microsoft Defender Antivirus detects and removes this threat.

Mekotio is a geolocation-specific Trojan that steals banking information—traditional and online. Mekotio was first detected in March 2018 primarily attacking Windows systems in Latin America. In 2020, Mekotio attacks changed focus to Europe after Mekotio perpetrators apparently took an interest in Spanish banks.

Mekotio can steal online banking (cryptocurrency) information by changing the victim’s Wallet address to the attacker’s Wallet address, rebooting the infected system, stealing credentials from Google Chrome, and restricting access to legitimate banking websites.

Recently, Mekotio dynamic link library (DLL) files were found in HTML smuggling campaigns.

Continue reading to learn how Mekotio campaigns evade antivirus application detections by dividing into various files that are protected with techniques that vary according to the sample.