libcef.dll: A Brazilian Banking Trojan Hiding Behind Chromium's Most Trusted Library
title: "libcef.dll: A Brazilian Banking Trojan Hiding Behind Chromium's Most Trusted Library" subtitle: "A 10MB PE masquerading as the Chromium Embedded Framework delivers DLL sideloading against MetaTrader 5, MEXC crypto, and Brazilian taxpayers -- all from a 15-node spam infrastructure cluster in Buffalo, NY" tags: ["banker", "DLL-sideloading", "Brazil", "SEFAZ", "phishing", "credential-theft", "libcef", "MetaTrader"]
libcef.dll: A Brazilian Banking Trojan Hiding Behind Chromium's Most Trusted Library
If you are a defender and you see libcef.dll in a software package, your instinct is to trust it. The Chromium Embedded Framework library ships with Spotify, Steam, Discord, OBS Studio, and hundreds of enterprise applications. It is one of the most commonly whitelisted DLLs in existence. That is exactly why a Brazilian cybercrime operation chose it as the disguise for their banking trojan.
The sample -- a 10MB PE executable named libcef.dll -- was uploaded to MalwareBazaar on March 11, 2026. Behind it sits a multi-pronged fraud infrastructure centered on sefazemissaoweb[.]com, impersonating SEFAZ (the Brazilian State Treasury), MetaTrader 5, and the MEXC cryptocurrency exchange. And an OPSEC failure exposed the real prize: a credential harvesting domain called accoumts[.]com[.]br (note the typo) that has been running since October 2025.
Key Findings
- DLL sideloading via Chromium trust: 10MB PE named
libcef.dllexploits the implicit trust of CEF libraries for sideloading into legitimate applications, particularly MetaTrader 5 - Five active lure subdomains: NFE tax portal (SEFAZ), MetaTrader 5 "maintenance," MEXC crypto exchange redirect, malware staging, and credential harvesting -- all under one Cloudflare account
- 15-node spam infrastructure: The malware staging server (
107[.]172[.]48[.]177) isvmta4.youboxx[.]com-- a Virtual Mail Transfer Agent in a dedicated bulk email cluster spanning .170-.184 in the same /24 - 5-month-old credential harvesting operation:
accoumts[.]com[.]brhas been active since October 2025, exposed only because the operator left it as the default SSL cert on the staging server - 10 language translations on the NFE phishing page -- Portuguese, Spanish, French, German, Russian, Japanese, Chinese, Korean, Arabic, Turkish -- suggesting international targeting beyond Brazil
- Cross-campaign link: HostPapa (ColoCrossing, Buffalo NY) infrastructure appears in two prior Breakglass investigations for RemcosRAT campaigns
The OPSEC Failure
Connect directly to 107[.]172[.]48[.]177:443 without SNI and the server returns a TLS certificate for accoumts[.]com[.]br -- a credential harvesting typosquat of "accounts.com.br" that has been active since October 2025. This is a classic misconfiguration: the default SSL virtualhost reveals infrastructure the operator intended to keep behind Cloudflare. One curl command exposed a five-month fraud operation.
The MEXC subdomain makes it worse: mexc[.]sefazemissaoweb[.]com issues a 302 redirect straight to web[.]accoumts[.]com[.]br, creating a clear link between the two domains in any proxy log.
Infrastructure Map
| Component | Domain/IP | Purpose | Status |
|---|---|---|---|
| Malware staging | download[.]sefazemissaoweb[.]com (107.172.48.177) | libcef.dll delivery | LIVE |
| NFE phishing | nfe[.]sefazemissaoweb[.]com (107.172.48.177) | SEFAZ tax portal impersonation | LIVE |
| MT5 phishing | mt5[.]sefazemissaoweb[.]com (Cloudflare) | MetaTrader 5 lure | LIVE (502) |
| MEXC redirect | mexc[.]sefazemissaoweb[.]com (Cloudflare) | Crypto exchange redirect | LIVE (302) |
| Credential harvest | web[.]accoumts[.]com[.]br (Cloudflare) | Account credential theft | LIVE (522) |
| Spam cluster | 107.172.48.170-184 | youboxx/podtoc/dynamisworld mail infra | LIVE |
The entire operation was stood up in a 3-day window: subdomain certificates issued March 8-10, malware sample appeared March 11. But the credential harvesting domain has been operational since October 2025 -- the operators added the banking trojan campaign on top of existing infrastructure.
IOCs
Domains:
sefazemissaoweb[.]com
download[.]sefazemissaoweb[.]com
nfe[.]sefazemissaoweb[.]com
mt5[.]sefazemissaoweb[.]com
mexc[.]sefazemissaoweb[.]com
accoumts[.]com[.]br
web[.]accoumts[.]com[.]br
youboxx[.]com
vmta4[.]youboxx[.]com
podtoc[.]com[.]br
dynamisworld[.]com[.]br
IPs:
107[.]172[.]48[.]177 # Malware staging / NFE phishing
107[.]172[.]48[.]170-184 # Spam infrastructure cluster
File Hash:
| Type | Value |
|---|---|
| SHA256 | 70532acb7cc38d8c0573a463cba94da9ada2c6464836eb0bf3a53a4a0f1372a4 |
| Filename | libcef.dll |
| Size | 10,194,432 bytes |
MITRE ATT&CK
| Technique | ID | Application |
|---|---|---|
| DLL Side-Loading | T1574.002 | libcef.dll loaded by legitimate CEF application |
| Masquerading: Match Legitimate Name | T1036.005 | Named after legitimate Chromium library |
| Spearphishing Link | T1566.002 | Email lures directing to phishing subdomains |
| Web Portal Capture | T1056.003 | accoumts.com.br credential harvesting |
| Upload Malware | T1608.001 | libcef.dll staged on download subdomain |
Conclusion
This campaign demonstrates the intersection of two trends: the abuse of trusted software libraries for DLL sideloading, and the repurposing of bulk email infrastructure for malware distribution. The Brazilian operators built their banking trojan campaign on top of a spam cluster that was already running, using the same /24 IP block for both bulk email delivery and malware staging. The OPSEC failure -- a default SSL certificate revealing the credential harvesting domain -- connects the dots between a 5-month-old fraud operation and a 3-day-old malware campaign. Block the infrastructure, but also look backward in your logs: accoumts[.]com[.]br has been stealing credentials since October 2025.