Researchers have uncovered a campaign targeting hospitality workers in Canada and Europe in July with banking malware known as Chameleon.

Among the hackers' targets was an unnamed Canadian restaurant chain operating internationally, according to a report released by the cybersecurity firm Threat Fabric on Monday.

In these attacks, Chameleon was disguised as a customer relationship management (CRM) app, which is often used in the hospitality industry for task automation, communication, and data analysis. Threat Fabric did not specify the app.

Researchers noted that other intended victims of the campaign likely include hospitality workers and potentially employees of direct-to-customer retailers in Canada and Europe.

If the attackers succeed in infecting a device that has corporate banking access, Chameleon can then target business banking accounts.

“The increased likelihood of such access for employees whose roles involve CRM is the likely reason behind the choice of masquerading during this latest campaign,” researchers said.

The report does not specify how the hackers initially accessed the targeted systems but indicates that the first stage of the malware installation process involves a dropper capable of bypassing security restrictions in versions 13 and above of the Android operating system.

Once loaded, the dropper displays a fake page with CRM login fields, requesting the employee ID. If a user then clicks on a message asking them to reinstall the application, Chameleon infects the computer.

After installation, users are directed to a fake website asking for the employee's credentials.

Because Chameleon is already running in the background, it is also able to collect credentials and other sensitive information using keylogging. “Such information can be used in further attacks, or the actors can monetize it by selling it on underground forums,” researchers said.

The malware was discovered in December 2022 and has previously targeted entities in Australia, Italy, Poland and the U.K.

Threat Fabric has also observed recent Chameleon attacks on customers of unnamed financial organizations, with the malware masquerading as a security app installing a security certificate released by the bank.

In incidents last year, the malware found victims in Australia and Poland, disguising itself as institutions like the Australian Taxation Office (ATO) and popular banking apps.