{
	"id": "68487c13-fee3-4022-8a28-3e29a53a1016",
	"created_at": "2026-04-06T00:16:04.202884Z",
	"updated_at": "2026-04-10T03:21:47.371864Z",
	"deleted_at": null,
	"sha1_hash": "79e384349ca3283535dffc13b02aa0cd1e17136d",
	"title": "New Banking Trojan “CHAVECLOAK” Targets Brazil | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4333771,
	"plain_text": "New Banking Trojan “CHAVECLOAK” Targets Brazil | FortiGuard\r\nLabs\r\nBy Cara Lin\r\nPublished: 2024-03-04 · Archived: 2026-04-05 18:02:50 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Microsoft Windows\r\nImpact: Controls victim’s device and collects sensitive information\r\nSeverity Level: High\r\nFortiGuard Labs recently uncovered a threat actor employing a malicious PDF file to propagate the banking Trojan\r\nCHAVECLOAK. This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading\r\ntechniques to execute the final malware. Notably, CHAVECLOAK is specifically designed to target users in Brazil, aiming\r\nto steal sensitive information linked to financial activities.\r\nFigure 1 shows the detailed flow of this cyber threat.\r\nFigure 1: Attack flow\r\nIn the South American cyberthreat landscape, banking trojans employ a range of tactics, such as phishing emails, malicious\r\nattachments, and browser manipulation. Notable examples include Casbaneiro (Metamorfo/Ponteiro), Guildma, Mekotio,\r\nand Grandoreiro. These trojans specialize in illicitly obtaining online banking credentials and personal data, posing a\r\nsignificant threat to users in countries like Brazil and Mexico. The CHAVECLOAK's Command and Control (C2) server\r\ntelemetry is shown in Figure 2. In this blog, we will elaborate on the details of the malware.\r\nhttps://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil\r\nPage 1 of 10\n\nFigure 2: Telemetry\r\nInitial Vector PDF\r\nThe PDF, shown in Figure 3, claims contain documents related to a contract, with instructions written in Portuguese. It lures\r\nits victims to click a button so they can read and sign the attached documents. However, a malicious downloader link is\r\ndiscreetly embedded within the stream object, as shown in Figure 4, which reveals the decoded URL. This URL undergoes\r\nprocessing via the free link shortening service “Goo.su,” ultimately leading to a redirect at\r\nhxxps://webattach.mail.yandex.net/message_part_real/NotaFiscalEsdeletronicasufactrub66667kujhdfdjrWEWGFG09t5H6854JHGJUU\r\nfor downloading the ZIP file. Upon decompression, the file yields the MSI file\r\n“NotafiscalGFGJKHKHGUURTURTF345.msi.”\r\nFigure 3: The malicious PDF file\r\nhttps://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil\r\nPage 2 of 10\n\nFigure 4: The embedded URL\r\nMSI Installer\r\nFollowing the decompression of the MSI installer, we uncovered multiple TXT files related to settings for different\r\nlanguages, a legitimate execution file, and a malicious DLL named “Lightshot.dll.” Notably, the modified date for this DLL\r\nfile is more recent than that of all the other files in the installer, further emphasizing its unusual nature.\r\nFigure 5: The decompressed MSI file\r\nExamining the MSI installer reveals its entire configuration, which is written in Portuguese. It executes the file\r\n“Lightshot.exe,” extracting and depositing files at “%AppData%\\Skillbrains\\lightshot\\5.5.0.7,” as shown in Figure 6.\r\nThe file “Lightshot.exe” then deploys DLL sideloading techniques to activate the execution of the malicious DLL,\r\n\"Lightshot.dll.\" This technique lets the legitimate executable load and run the malicious code discreetly, facilitating\r\nunauthorized activities like data theft. The actions conducted by “Lightshot.dll” involve covert and harmful operations,\r\nincluding the unauthorized acquisition of sensitive information. DLL sideloading poses a significant security threat by\r\nallowing the malware to exploit legitimate processes for nefarious purposes without detection.\r\nhttps://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil\r\nPage 3 of 10\n\nFigure 6: The “ActionText” in the MSI file and the extracted folder\r\nhttps://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil\r\nPage 4 of 10\n\nFigure 7: Load malicious DLL “Lightshot.dll”\r\nCHAVECLOAK Banking Trojan “Lightshot.dll”\r\nInitially, the process invokes “GetVolumeInformationW” to gather details about the file system and the associated volume\r\nrelated to the specified root directory. It utilizes the HEX value obtained to generate a log file in “%AppData%[HEX\r\nID]lIG.log.” Following this, it adds a registry value named “Lightshot” to\r\n“HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run,” ensuring automatic execution of the\r\n“Lightshot.exe” program upon user login. Once logging and persistence are completed, it sends an HTTP request to\r\nhxxp://64[.]225[.]32[.]24/shn/inspecionando.php. If geo-checking confirms that the victim is in Brazil, it logs data on the\r\nserver, accessible through the path “clients.php,” as shown in Figure 8.\r\nFigure 8: The Check-in victim list\r\nhttps://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil\r\nPage 5 of 10\n\nIt then periodically monitors the foreground window using the APIs “GetForegroundWindow” and “GetWindowTextW.”\r\nUpon identifying a window and confirming its name against a predefined list of bank-related strings, the malware\r\nestablishes communication with its Command and Control (C\u0026C) server.\r\nThe malware facilitates various actions to steal a victim's credentials, such as allowing the operator to block the victim's\r\nscreen, log keystrokes, and display deceptive pop-up windows, as shown in Figure 10. The malware actively monitors the\r\nvictim's access to specific financial portals, including several banks and Mercado Bitcoin, which encompasses both\r\ntraditional banking and cryptocurrency platforms.\r\nFigure 9: Compare the Window's text and the target string\r\nFigure 10: The deceptive pop-up windows\r\nAfter obtaining the user's entered login data, the malware initiates communication with its Command and Control (C2)\r\nserver at hxxp://comunidadebet20102[.]hopto[.]org. Depending on the bank associated with the stolen data, it uploads the\r\ninformation to distinct paths: “04/M/” for Mercado Bitcoin.\r\nhttps://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil\r\nPage 6 of 10\n\nFigure 11: The assembly code that uploads stolen data\r\nIt then transmits a POST request containing essential system details and configures the account information within the\r\n“InfoDados” parameter, as seen in Figure 12.\r\nFigure 12: The HTTP POST request for stolen data\r\nOlder Variant\r\nAdditionally, we acquired an older variant of CHAVECLOAK from the check-in site. Its process differs from the previous\r\none, as the ZIP file contains a Delphi executable file embedding the final payload in the RCData section.\r\nhttps://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil\r\nPage 7 of 10\n\nFigure 13: The payload in TFORM1\r\nIt begins by retrieving system information to establish a new folder and stores the payload at “C:\\Program Files\r\n(x86)\\Editor-GH-[HEX ID]\\Editor-[HEX ID].exe.” Simultaneously, it creates a log file, establishes persistence, and utilizes\r\nthe PowerShell command “Add-MpPreference –ExclusionPath” to exclude the path “Editor-GH-[HEX ID]” from Windows\r\nDefender scans. Subsequently, it sends a check-in request to hxxp://64[.]225[.]32[.]24/desktop/inspecionando.php. Notably,\r\nthis variant appears to be an earlier version, indicated by the victims' check-in date starting in 2023.\r\nFigure 14: Add registry\r\nFigure 15: The Check-in user list\r\nhttps://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil\r\nPage 8 of 10\n\nIt also actively observes user behavior, captures front window text, and harvests personally identifiable information from\r\nspecified banking and Bitcoin login pages, including names, passwords, and keystrokes. It then transmits the stolen data to\r\nthe Command and Control (C2) server at hxxp://mariashow[.]ddns[.]net/dtp/cnx.php.\r\nFigure 16: The HTTP data for sending account information\r\nConclusion\r\nThe emergence of the CHAVECLOAK banking Trojan underscores the evolving landscape of cyberthreats targeting the\r\nfinancial sector, specifically focusing on users in Brazil. Utilizing sophisticated techniques, including malicious PDFs, ZIP\r\nfile downloads, DLL sideloading, and deceptive pop-ups, it joins a cohort of prominent banking trojans that primarily target\r\nSouth America. CHAVECLOAK employs Portuguese language settings, indicating a strategic approach to the region, and\r\nactively monitors victims' interactions with financial portals. CHAVECLOAK exemplifies the sophistication of\r\ncontemporary banking trojans, necessitating continual vigilance and proactive cybersecurity measures to safeguard against\r\nevolving threats within the financial landscape of South America.\r\nFortinet Protections\r\nThe malware described in this report are detected and blocked by FortiGuard Antivirus as:\r\nPDF/Agent.72C4!tr\r\nW32/Banker.CNX!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine\r\nis a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.\r\nThe URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.\r\nThe FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros in the document.\r\nWe also suggest that organizations go through Fortinet’s free Fortinet Certified Fundamentals (FCF) in cybersecurity\r\ntraining. The training is designed to help end users learn about today's threat landscape and will introduce basic\r\ncybersecurity concepts and technology.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source\r\nIP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global\r\nsources that collaborate to provide up-to-date threat intelligence about hostile sources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard\r\nIncident Response Team.\r\nIOCs\r\nIP\r\n64[.]225[.]32[.]24\r\nhttps://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil\r\nPage 9 of 10\n\nURLs\r\nhxxps://webattach.mail.yandex.net/message_part_real/NotaFiscalEsdeletronicasufactrub66667kujhdfdjrWEWGFG09t5H6854JHGJUU\r\nhxxps://goo[.]su/FTD9owO\r\nHostnames\r\nmariashow[.]ddns[.]net\r\ncomunidadebet20102[.]hopto[.]org\r\nFiles:\r\n51512659f639e2b6e492bba8f956689ac08f792057753705bf4b9273472c72c4\r\n48c9423591ec345fc70f31ba46755b5d225d78049cfb6433a3cb86b4ebb5a028\r\n4ab3024e7660892ce6e8ba2c6366193752f9c0b26beedca05c57dcb684703006\r\n131d2aa44782c8100c563cd5febf49fcb4d26952d7e6e2ef22f805664686ffff\r\n8b39baec4b955e8dfa585d54263fd84fea41a46554621ee46b769a706f6f965c\r\n634542fdd6581dd68b88b994bc2291bf41c60375b21620225a927de35b5620f9\r\n2ca1b23be99b6d46ce1bbd7ed16ea62c900802d8efff1d206bac691342678e55\r\nSource: https://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil\r\nhttps://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil"
	],
	"report_names": [
		"banking-trojan-chavecloak-targets-brazil"
	],
	"threat_actors": [],
	"ts_created_at": 1775434564,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79e384349ca3283535dffc13b02aa0cd1e17136d.pdf",
		"text": "https://archive.orkl.eu/79e384349ca3283535dffc13b02aa0cd1e17136d.txt",
		"img": "https://archive.orkl.eu/79e384349ca3283535dffc13b02aa0cd1e17136d.jpg"
	}
}