{
	"id": "5e39f009-5b50-45c1-b6f2-0d9db398e2c6",
	"created_at": "2026-04-06T15:54:07.387945Z",
	"updated_at": "2026-04-10T03:23:38.813031Z",
	"deleted_at": null,
	"sha1_hash": "375320f0ee8185bdf0be8bf4af807c1fd0532c49",
	"title": "Shylock/Caphaw malware Trojan: the overview",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 101052,
	"plain_text": "Shylock/Caphaw malware Trojan: the overview\r\nBy Kaspersky\r\nPublished: 2014-07-14 · Archived: 2026-04-06 15:37:46 UTC\r\nRecently Kaspersky Lab has contributed to an alliance of law enforcement and industry organizations, to\r\nundertake measures against the internet domains and servers that form the core of an advanced cybercriminal\r\ninfrastructure that uses the Shylock Trojan to attack online banking systems around the globe.\r\nShylock is a banking Trojan that was first discovered in 2011. It utilizes man-in-the-browser attacks designed to\r\npilfer banking login credentials from the PCs of clients of a predetermined list of target organizations. Most of\r\nthese organizations are banks, located in different countries.\r\nKaspersky Lab products detect the Shylock malware as Backdoor.Win32.Caphaw and Trojan-Spy.Win32.Shylock.\r\nWe detected this malware generically from the end of August 2011, as Backdoor.Win32.Bifrose.fly. Specific\r\ndetection of this separate family was added in February 2012. Since then we have observed a very few detections\r\n– approximately 24,000 attempts to infect PCs protected by Kaspersky Lab products worldwide.\r\nThese are very modest numbers, especially in comparison with other infamous banking malware such as ZeuS,\r\nSpyEye, Carberp which have generated (and, in the case of some of them, such as ZeuS , still generate) tens or\r\nhundreds of thousands of detections. Of course, these numbers don’t tell us everything about how widespread or\r\neffective Shylock is, because Kaspersky Lab “sees” only a part of the total number of PC users – only those who\r\nuse our products.\r\nLow popularity doesn’t make Shylock less dangerous though. The set of malicious techniques it utilizes is no less\r\ndangerous than that used by other similar malware. It is able to inject its body in multiple running processes, has\r\ntools to avoid detection by anti-malware software, uses several plugins which add additional malicious functions\r\naimed at bypassing anti-malware software, collects passwords for ftp-servers, spreads itself via messengers and\r\nservers, provides remote access to the infected machine, video grabbing and of course web injection.\r\nThis last function is used to steal online banking credentials by injecting fake data entry fields into the web page\r\nloaded in the victim’s browser.\r\nDuring the entire period we’ve seen two relatively big peaks in detection rate for this malware.\r\nThe first one was in November 2012 and the second one was in December 2013.\r\nhttps://securelist.com/shylockcaphaw-malware-trojan-the-overview/64599/\r\nPage 1 of 3\n\nThe geography of the November 2012 peak was as follows:\r\nUnited Kingdom\r\nItaly\r\nPoland\r\nRussian Federation\r\nMexico\r\nThailand\r\nIran\r\nTurkey\r\nIndia\r\nSpain\r\nThe table above shows the top 10 countries wheremost attacks using the Shylock malware were registered. A little\r\nmore than a year later, in December 2013, the picture had changed dramatically.\r\nBrazil\r\nRussian federation\r\nVietnam\r\nItaly\r\nhttps://securelist.com/shylockcaphaw-malware-trojan-the-overview/64599/\r\nPage 2 of 3\n\nUkraine\r\nIndia\r\nUnited Kingdom\r\nBelarus\r\nTurkey\r\nTaiwan\r\nAs these tables show, the criminals behind this malware definitely stopped paying so much attention to the\r\ndeveloped e-money markets of the UK, Italy and Poland in favor of the actively developing markets of Brazil,\r\nRussia and Vietnam. It’s slso interesting that both peaks happened in the late autumn to early winter period, a\r\ntraditional high retail season in many countries around the world.\r\nAccording to Europol data, this malware has infected more than 30,000  PCs worldwide. This is a big enough\r\nscale to cause huge financial damage, so the disruption of the Shylock backbone infrastructure is very good news.\r\nAnd even better news is that the recent operation, coordinated by the UK’s National Crime Agency (NCA),\r\nbrought together partners from the law enforcement and the private sector, including – besides Kaspersky Lab –\r\nEuropol, the FBI, BAE Systems Applied Intelligence, Dell SecureWorks and the UK’s GCHQ (Government\r\nCommunications Headquarters), to jointly combat the threat. We at Kaspersky Lab were glad to add our modest\r\ncontribution to this operation. Global action brings positive results – an example being the operation targeting the\r\nShylock malware.\r\nSource: https://securelist.com/shylockcaphaw-malware-trojan-the-overview/64599/\r\nhttps://securelist.com/shylockcaphaw-malware-trojan-the-overview/64599/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/shylockcaphaw-malware-trojan-the-overview/64599/"
	],
	"report_names": [
		"64599"
	],
	"threat_actors": [
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775490847,
	"ts_updated_at": 1775791418,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/375320f0ee8185bdf0be8bf4af807c1fd0532c49.pdf",
		"text": "https://archive.orkl.eu/375320f0ee8185bdf0be8bf4af807c1fd0532c49.txt",
		"img": "https://archive.orkl.eu/375320f0ee8185bdf0be8bf4af807c1fd0532c49.jpg"
	}
}