In May 2024, Kaspersky Labs uncovered a sophisticated malware campaign that uniquely targeted users in Italy, deploying a new Remote Access Trojan (RAT) called SambaSpy. What makes this campaign stand out is the meticulous focus on Italian-speaking users, as outlined in Kaspersky's latest report. In an unusual move for cybercriminals, the attackers ensured that their malware infected only Italian users by incorporating multiple checks throughout the infection chain to verify that the system language was set to Italian.
While most malware campaigns cast a wide geographic net, this operation was highly localized, aiming exclusively at Italian-speaking victims. At each stage of the infection chain, the malware checked whether the target system met specific criteria—such as having its language set to Italian. If the system did not meet these criteria, the malware would immediately halt, ensuring that only Italian-speaking users were affected. This level of customization demonstrates a level of precision not typically seen in widespread cyberattacks.
The SambaSpy RAT was delivered via phishing emails, masquerading as communications from a legitimate Italian real estate company. Written in perfect Italian, these emails contained links to what appeared to be invoices hosted on a genuine document-sharing platform widely used by Italian businesses. However, the attackers embedded a malicious link in these emails, which led to a JAR file that initiated the SambaSpy infection.
Once installed, SambaSpy gives attackers nearly complete control over the infected device. Written in Java and obfuscated using the Zelix KlassMaster protector, SambaSpy is equipped with a vast array of capabilities, allowing attackers to:
Additionally, SambaSpy has the capability to load plugins at runtime, allowing attackers to expand its functionality depending on the victim's environment. This modular nature makes it a versatile tool that can be customized for different targets.
Kaspersky identified two distinct infection chains in this campaign, both of which began with a phishing email. In the more complex chain, the attackers used a German email address but crafted the message in Italian, urging the victim to view an invoice. Clicking the link redirected the user to FattureInCloud, a legitimate Italian cloud invoicing platform. However, behind the scenes, the victim was also redirected to a malicious OneDrive link, which led to the SambaSpy dropper—but only if the user’s system language was set to Italian.
If the target system didn’t meet specific criteria, such as running Edge, Chrome, or Firefox with Italian as the language setting, the victim would simply remain on the legitimate site, evading infection. This precision targeting, based on language and browser settings, reflects a highly sophisticated approach by the attackers.
Cybersecurity experts are noting the increased sophistication in geotargeted malware campaigns like SambaSpy. According to Martin Zugec, Senior Director of Security Strategy at Bitdefender, “The precision with which this campaign was executed highlights a growing trend among cybercriminals to focus on specific, localized targets. By narrowing their scope, attackers can evade detection by security systems that typically look for broader threats.”
Additionally, FireEye’s research indicates that geographically targeted attacks often bypass traditional security solutions, as they tailor their infection methods to specific regions, languages, and even industries. These types of attacks pose an increasing threat to national and regional infrastructures.
Although the campaign exclusively targeted Italian users, Kaspersky found traces that suggest the attackers may have broader ambitions. Brazilian Portuguese language artifacts, including code comments and error messages, were discovered within the malware, hinting at potential Brazilian origins. Additionally, the infrastructure used in the campaign included links to other regions, such as Spain and Brazil. This cross-regional activity raises questions about whether the attackers plan to expand beyond Italy in future campaigns.
Given the specificity of this campaign and its advanced techniques, cybersecurity experts recommend the following defenses:
The SambaSpy malware campaign is an exceptional example of how cybercriminals are tailoring their attacks to specific regions and user bases. By focusing exclusively on Italian-speaking users and utilizing sophisticated language and browser checks, the attackers behind SambaSpy have demonstrated a high level of skill and customization. While the campaign currently targets Italy, traces of Brazilian Portuguese artifacts suggest the attackers could have broader plans in the future. Organizations, particularly those in targeted regions, must remain vigilant and deploy robust defenses to protect against this growing threat.