👏
Smart from actors, as AV companies won't block their CDN.
😟
cc @GossiTheDog @x0rz
Of course, the link not points to a file on gov website, but to a file on FB's CDN...
Not only it comes from FB's CDN, but comes over HTTPS.
You can see, after 30 hours, still FUD...
If it would taken down eventually, here is the file: virustotal.com/en/file/1faa46…
Detections:
And that number is the very least, likely lots more...
cc @certbr
APT?
If you are not from Brazil, all you get is an empty dll: virustotal.com/en/file/8ff95b…
cc @JAMESWT_MHT
The loader dll has only 1 detection: virustotal.com/en/file/41e463…
Also has checks like specific things are installed or not, checks (IP) if running in BR or not, etc.
Probably as campaign is over, they changed something.