Brazilian scammers are calling victims and urging them to install a supposed update of a bank's security module in a series of phishing attacks.

The supposed update is actually a malicious extension of Google Chrome capable of capturing banking credentials. The malware used in the exploit manages to fly under the radar of malware detection by targeting only a few select targets to avoiding binary code patterns, Morphus Labs researcher Renato Marinho said in an Aug 15 blog post.

Marinho said the attackers carefully research the targets via social network to identify those who deal with the company's finances. The threat actors then contact these workers posing as bank employees and instruct them to install the "latest bank module."

“Once the victim has followed the guidelines and installed the fake module, the fraudster guides the victim to a test access to the company's bank account,” Marinho said. “It is at this moment that the information is stolen.”

At the time Marinho wrote the post, the JavaScript malware files had a detection rate of 0 in VirusTotal threat detection software.