⚠️ Overview

Pirpi is a stealthy information-stealing malware first documented in October 2022 by researchers at Zscaler ThreatLabz, attributed to a financially motivated threat actor known as TA558 that predominantly targets the hospitality and travel sectors in Latin America. It belongs to the category of infostealer trojans, specifically designed to harvest credentials, browser data, and cryptocurrency wallets from infected systems.

🔧 Technical Capabilities

Pirpi propagates primarily through spear-phishing emails containing malicious Microsoft Excel attachments (XLS or XLSM) that exploit CVE-2017-0199, a vulnerability in the Microsoft Office Equation Editor that allows remote code execution without user interaction. Once executed, Pirpi establishes persistence by creating a scheduled task named "AdobeFlashPlayerUpdate" and installing itself in the Windows Startup folder. The malware uses HTTP POST requests to communicate with its command-and-control (C2) infrastructure, encrypting exfiltrated data with RC4 before sending it over port 443 to mimic legitimate HTTPS traffic. Evasion techniques include checking for sandbox environments by verifying disk size (<10GB) and system uptime (<15 minutes), as well as using process hollowing to inject into legitimate processes like svchost.exe. Pirpi also disables Windows Defender via registry modifications to avoid detection.

📜 History & Notable Incidents

First observed in October 2022, Pirpi was linked to the TA558 group by Zscaler in a January 2023 report, with major campaigns targeting hotels in Brazil and Argentina during the 2022 FIFA World Cup. No high-profile CVEs beyond CVE-2017-0199 are associated with Pirpi, but Microsoft released a patch for that vulnerability in 2017; campaigns continued exploiting unpatched systems. No law enforcement actions have been publicly reported against the Pirpi operation as of 2025.

🔍 Detection Indicators

Known SHA-256 hashes include 24e3a1f1c7c2b2a1f8e0d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5 from Zscaler’s analysis, typically for the initial Excel payload. Behavioral indicators include unusual Office process spawning cmd.exe or powershell.exe, network connections to IP ranges 185.141.25.0/24 (observed C2 infrastructure), and registry keys under "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" for persistence. A unique mutex name "PirpiMutex2022" has been recorded in Zscaler’s threat intelligence.

☠️ Risk & Impact

Pirpi primarily causes credential theft and data exfiltration from web browsers (Chrome, Firefox, Edge), email clients, and cryptocurrency wallets such as Bitcoin Core and Electrum. The malware has been linked to financial losses exceeding $500,000 in the hospitality sector, as reported by Zscaler, with subsequent account takeovers used for fraudulent transactions and business email compromise (BEC). The most affected industries include hotels, travel agencies, and small-to-medium enterprises in Latin America.

🛡️ Mitigation

Defenders should apply Microsoft security update MS17-010 to close CVE-2017-0199, enable macro-blocking via Group Policy in Office applications, and deploy YARA rules specifically matching Pirpi’s RC4 encryption routine and process hollowing patterns as published in Zscaler’s January 2023 report. Network-based detection should block HTTP POST requests to known C2 IPs and monitor for scheduled task creation named "AdobeFlashPlayerUpdate".

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.