S9016: Caminho
Analyst context for executives and security teams
Caminho matters because ATT&CK describes it as a Windows downloader used to deliver other malware, including XWorm. For leaders, the risk is less the downloader alone and more whether the organization can quickly see, contain, and explain the follow-on payload delivery chain before it becomes a broader incident.
Executive priority
Prioritize Caminho as a test of endpoint visibility, egress monitoring, and incident response readiness for downloader-led intrusions. It is especially relevant for organizations tracking Latin America-focused threat activity because ATT&CK relates Caminho to APT-C-36, a suspected South American group associated with espionage and financially motivated operations. Budget and assurance questions should focus on whether controls can detect suspicious Windows execution, external tool transfer, obfuscated files, and process hollowing without relying only on file hashes.
Technical view
ATT&CK lists Caminho as Windows malware with relationships to Binary Padding, Encrypted/Encoded File, Process Hollowing, Ingress Tool Transfer, Native API, and Deobfuscate/Decode Files or Information. SOC and IR teams should validate coverage for downloader behavior: suspicious file arrival, encoded or padded binaries, runtime decoding, native API-heavy execution, process hollowing indicators, and outbound retrieval of additional tools or payloads. Official ATT&CK detection text is not provided, so local detection engineering must be based on the related techniques and available telemetry.
Likely telemetry
- Windows endpoint process creation and parent/child process lineage
- EDR telemetry for process hollowing, memory manipulation, suspended process creation, and unusual native API usage
- File creation, modification, and execution events for newly downloaded or encoded binaries
- Network egress logs showing external file retrieval or command-and-control style downloads
- Security tool alerts related to binary padding, file size anomalies, hash changes, or encoded content
Detection direction
- Do not depend on static hashes alone; the related Binary Padding and Encrypted/Encoded File techniques indicate that file representation may change to evade simple matching.
- Tune for behavior chains: new Windows executable or file arrival followed by decoding/deobfuscation, process hollowing, and additional external downloads.
- Review false positives from legitimate installers, software updaters, packed commercial software, and administrative tools that download files or use uncommon APIs.
- Correlate endpoint and network evidence; downloader activity may be missed if endpoint logs and egress records are analyzed separately.
- Use the APT-C-36 relationship as threat-intelligence context, not as proof of attribution in any local incident.
Mitigation priorities
- Strengthen endpoint controls that prevent or alert on suspicious process injection and hollowing behavior.
- Limit unnecessary outbound file transfer paths and monitor external downloads from Windows endpoints.
- Use application control or execution policy where feasible to reduce untrusted binaries executing from user-writable or temporary locations.
- Ensure IR playbooks treat downloader findings as a potential precursor to follow-on malware and require scoping for additional payloads.
- Maintain compliance evidence showing collection of endpoint execution, file, and network telemetry needed to investigate downloader-led incidents.
Analyst notes and limits
Caminho is documented in ATT&CK as a downloader used since at least 2025 to deliver malware such as XWorm. The relationship set provides the most useful defensive direction: obfuscation, decoding, native API execution, process hollowing, and ingress tool transfer. The APT-C-36 relationship should inform intelligence-driven prioritization, particularly for relevant sectors or geographies, but should not be used alone for attribution.
ATT&CK provides no official detection guidance, no tactics for the malware object, no aliases, and only Windows as the platform. This take is limited to the supplied ATT&CK fields, external references, and relationships; local telemetry, samples, network indicators, and environment-specific baselines are required for reliable detection and response.
Caminho
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Caminho can deobfuscate downloaded files prior to execution.CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Caminho has launched and hollowed out MSBuild.exe to host malicious code.CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Caminho can use junk code for obfuscation.CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Caminho can use code flattening for payload obfuscation.CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | Caminho has the ability to download files onto compromised hosts.CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1106 | Native API | Caminho can use `System.Net.WebClient.downloadString()` for file download.CitationZscaler BlindEagle DEC 2025 |
Groups, software, and campaigns
G0099: APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8ab04b58f5cd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler BlindEagle DEC 2025
Pellegrino, G. (2025, December 16). BlindEagle Targets Colombian Government Agency with Caminho and DCRAT. Retrieved April 16, 2026.
Open source URL -
[2]
VMDetectLoader
(Citation: Zscaler BlindEagle DEC 2025)
-
[3]
mitre-attack S9016Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.