👏
Smart from actors, as AV companies won't block their CDN.
😟
cc @GossiTheDog @x0rz
Of course, the link not points to a file on gov website, but to a file on FB's CDN...
![](https://pbs.twimg.com/media/DIs75nIW4AA-2Gi.jpg)
Not only it comes from FB's CDN, but comes over HTTPS.
You can see, after 30 hours, still FUD...
If it would taken down eventually, here is the file: virustotal.com/en/file/1faa46…
Detections:
![](https://pbs.twimg.com/media/DItAEQgW0AAEgw5.jpg)
And that number is the very least, likely lots more...
cc @certbr
![](https://pbs.twimg.com/media/DItAZBnXkAAR4HX.jpg)
![](https://pbs.twimg.com/media/DItNqKiWAAA9O7c.jpg)
APT?
If you are not from Brazil, all you get is an empty dll: virustotal.com/en/file/8ff95b…
cc @JAMESWT_MHT
![](https://pbs.twimg.com/media/DItYieBWsAIGgik.jpg)
The loader dll has only 1 detection: virustotal.com/en/file/41e463…
![](https://pbs.twimg.com/media/DItfmydXYAATJYr.jpg)
Also has checks like specific things are installed or not, checks (IP) if running in BR or not, etc.
Probably as campaign is over, they changed something.