Two recently observed cybertheft campaigns targeting South Koreans employed a three-stage downloader framework that installed the Blackmoon banking trojan on geo-targeted machines, according to a blog post Thursday from Fidelis Cybersecurity.

Taking place from late 2016 through 2017, the campaigns were aimed at users of such South Korean financial institutions as Samsung Pay, Citibank Korea, Hana Financial Group, KB Financial Group and more, Fidelis reports. Typically, Blackmoon is delivered in a variety of methods, including adware campaigns and exploit kits.

The three-stage delivery of Blackmoon, aka KRBanker or Banbra, was designed to help the cybercriminals evade detection, the blog post continues. The first component, an initial downloader, performs a GET request against a hardcoded URL, which sends bytecode in response. In turn, this bytecode second-stage downloader decodes data containing a URL that hosts the next file to be downloaded – a Portable Executable (PE) file that's named as a jpg. This file acts as a third-stage downloader, dubbed KRDownloaderwhich verifies that the user's default system language is Korean, connects to a command-and-control server, and introduces the main malicious payload. "When the user's language is not Korean, the bot simply dies," the blog post explains.

The campaigns no longer appear active, confirmed John Bambenek, Fidelis's manager of threat intelligence systems, in an email exchange with SC Media.