Cybercriminals target Canadian restaurant chain with Chameleon malware

Avatar

Researchers have uncovered a campaign targeting hospitality workers in Canada and Europe in July with banking malware known as Chameleon.

Among the hackers’ targets was an unnamed Canadian restaurant chain operating internationally, according to a report released by the cybersecurity firm Threat Fabric on Monday.

In these attacks, Chameleon was disguised as a customer relationship management (CRM) app, which is often used in the hospitality industry for task automation, communication, and data analysis. Threat Fabric did not specify the app.

Researchers noted that other intended victims of the campaign likely include hospitality workers and potentially employees of direct-to-customer retailers in Canada and Europe.

If the attackers succeed in infecting a device that has corporate banking access, Chameleon can then target business banking accounts.

“The increased likelihood of such access for employees whose roles involve CRM is the likely reason behind the choice of masquerading during this latest campaign,” researchers said.

The report does not specify how the hackers initially accessed the targeted systems but indicates that the first stage of the malware installation process involves a dropper capable of bypassing security restrictions in versions 13 and above of the Android operating system.

Once loaded, the dropper displays a fake page with CRM login fields, requesting the employee ID. If a user then clicks on a message asking them to reinstall the application, Chameleon infects the computer.

After installation, users are directed to a fake website asking for the employee’s credentials.

Because Chameleon is already running in the background, it is also able to collect credentials and other sensitive information using keylogging. “Such information can be used in further attacks, or the actors can monetize it by selling it on underground forums,” researchers said.

The malware was discovered in December 2022 and has previously targeted entities in Australia, Italy, Poland and the U.K.

Threat Fabric has also observed recent Chameleon attacks on customers of unnamed financial organizations, with the malware masquerading as a security app installing a security certificate released by the bank.

In incidents last year, the malware found victims in Australia and Poland, disguising itself as institutions like the Australian Taxation Office (ATO) and popular banking apps.

MalwareNewsNews BriefsCybercrime
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

NHS software supplier Advanced faces £6m fine over ransomware attack failings

Next Post

US offers $10 million for info on Iranian leaders behind CyberAv3ngers water utility attacks

Related Posts

Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update

Apple on Monday released out-of-band security updates to address a security flaw in iOS and iPadOS that it said has been exploited in the wild. Assigned the CVE identifier CVE-2025-24200, the vulnerability has been described as an authorization issue that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack. This
Avatar
Read More

Enterprise Gmail Users Can Now Send End-to-End Encrypted Emails to Any Platform

On the 21st birthday of Gmail, Google has announced a major update that allows enterprise users to send end-to-end encrypted (E2EE) to any user in any email inbox in a few clicks. The feature is rolling out starting today in beta, allowing users to send E2EE emails to Gmail users within an organization, with plans to send E2EE emails to any Gmail inbox in the coming weeks and to any email inbox
Avatar
Read More

5 Identity Threat Detection & Response Must-Haves for Super SaaS Security

Identity-based attacks are on the rise. Attackers are targeting identities with compromised credentials, hijacked authentication methods, and misused privileges. While many threat detection solutions focus on cloud, endpoint, and network threats, they overlook the unique risks posed by SaaS identity ecosystems. This blind spot is wreaking havoc on heavily SaaS-reliant organizations big and small
Avatar
Read More