VERY IMPORTANT

Rocinante is a new strain of mobile malware originating from Brazil, capable of keylogging, stealing PII through phishing, and performing device takeover. It targets Brazilian banking institutions using a combination of Firebase messaging, HTTP traffic, WebSocket, and Telegram API for communication. The malware is distributed via phishing websites posing as security updates or banking apps. Rocinante's features include keylogging, phishing screens, data exfiltration, and remote actions. The malware shows influence from Ermac/Hook, indicating a shift in LATAM cybercriminals' interests. Rocinante poses a significant risk to banking customers, potentially leading to unauthorized transfers and account draining.