{
	"id": "2030c5b5-b356-46ef-87d4-ebc42e109e5b",
	"created_at": "2026-04-06T00:10:32.184858Z",
	"updated_at": "2026-04-10T03:20:38.803305Z",
	"deleted_at": null,
	"sha1_hash": "a4eb658a67a46eedf16b1c8e93b28ce86452ed3a",
	"title": "Vadokrist: A wolf in sheep's clothing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 350050,
	"plain_text": "Vadokrist: A wolf in sheep's clothing\r\nBy ESET Research\r\nArchived: 2026-04-05 15:28:11 UTC\r\nVadokrist is a Latin American banking trojan that ESET has been tracking since 2018 and that is active almost\r\nexclusively in Brazil. In this installment of our series, we examine its main features and some connections to other\r\nLatin American banking trojan families.\r\nVadokrist shares several important features with families we have described earlier in the series, namely\r\nAmavaldo, Casbaneiro, Grandoreiro and Mekotio. We recently published a white paper dedicated to documenting\r\nthe similarities between Latin American banking trojans, whereas this blogpost series focuses more on the detailed\r\nanalysis of one family at a time.\r\nCharacteristics\r\nVadokrist is written in Delphi. One of the most notable characteristics is the unusually large amount of unused\r\ncode in the binaries. After further examination, we believe this is an attempt to evade detection and dissuade or\r\nslow analysis. We were able to link some of the code to existing Delphi projects, such as QuickReport.\r\nVadokrist stores strings inside string tables. It used to contain an implementation of a string table identical to\r\nCasbaneiro (illustrated in Figure 1); however, some recent versions of this banking trojan switched to using\r\nmultiple string tables, each for a different purpose (list of targets, general configuration, backdoor command\r\nnames, etc.).\r\nhttps://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/\r\nPage 1 of 11\n\nFigure 1. String table implementation in earlier Vadokrist binaries\r\nThe vast majority of Latin American banking trojans collect information about the victim machine (typically\r\ncomputer name and version of the Windows OS) when first run. The only information Vadokrist collects is the\r\nvictim’s username and it does so only after initiating an attack on a targeted financial institution, not, unlike most\r\nother Latin American banking trojans, at install time.\r\nTo ensure persistence, Vadokrist utilizes either a Run key or it creates a LNK file in the startup folder.\r\nhttps://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/\r\nPage 2 of 11\n\nIts backdoor capabilities are typical for this type of threat, being able to manipulate the mouse and simulate\r\nkeyboard input, log keystrokes, take screenshots, and restart the machine. It is also able to prevent access to some\r\nwebsites, which it does in a rather clumsy way by killing the browser process when the victim attempts to visit\r\nsuch websites. We believe this technique is used to prevent the victims from accessing their online bank accounts\r\nonce the attackers have compromised it, aiding them in retaining control.\r\nCryptography\r\nThe majority of Vadokrist binaries implement a cryptographic algorithm we have seen in other Latin American\r\nbanking trojans (namely Amavaldo and Casbaneiro) that we have dubbed TripleKey. Vadokrist uses this algorithm\r\nto protect its strings, and occasionally payloads and remote configurations as well (we dig deeper into this topic\r\nlater). For clarity, we have implemented the algorithm in Python, as seen in Figure 2.\r\ndef decrypt_payload(data_enc, key1, key2, key3):\r\n data_dec = str()\r\n for c in data_enc:\r\nx = data_enc[i] ^ (key3 \u003e\u003e 8) \u0026 0xFF\r\ndata_dec += chr(x)\r\nkey3 = ((x + key3) \u0026 0xFF) * key1 + key2\r\n return data_dec\r\ndef decrypt_string(data_enc, key1, key2, key3):\r\n data_dec = str()\r\n for c in data_enc:\r\nx = data_enc[i] ^ (key3 \u003e\u003e 8) \u0026 0xFF\r\ndata_dec += chr(x)\r\nkey3 = ((data_enc[i] + key3) \u0026 0xFFFF) * key1 + key2\r\n return data_dec\r\nFigure 2. TripleKey encryption scheme used by Vadokrist to protect strings, payloads and remote configurations\r\nBesides that, we have seen Vadokrist using RC4 in some of its recent binaries and, in the past, TwoFish as well.\r\nThis is quite rare among Latin American banking trojans as most of them never use generally known\r\ncryptographic algorithms.\r\nDistribution\r\nMSI overload\r\nRecent spam emails distributing Vadokrist contain two nested ZIP archives that contain two files – an MSI\r\ninstaller and a CAB archive. If a victim executes the MSI installer, it locates the CAB archive and extracts its\r\nhttps://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/\r\nPage 3 of 11\n\ncontents (an MSI loader) to disk. It then executes an embedded JavaScript file that adds a Run key entry, making\r\nsure the MSI loader is executed on system startup. Finally, the script restarts the machine. On startup, the MSI\r\nloader executes an embedded DLL – the Vadokrist banking trojan. The whole process is illustrated in Figure 3.\r\nNotice that no actual downloader is in place; the banking trojan is distributed directly by these spam emails.\r\nhttps://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/\r\nPage 4 of 11\n\nhttps://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/\r\nPage 5 of 11\n\nFigure 3. Execution chain recently used by Vadokrist\r\nThe JavaScript file is worth mentioning because of its obfuscation. It leverages how the comma operator (,) works\r\nin JavaScript and abuses it to greatly reduce readability and possibly to bypass emulation. It obfuscates conditions\r\nusing the logical AND operator (\u0026\u0026) in a similar manner. See an example in Figure 4.\r\nFigure 4. JavaScript installer used by Vadokrist. The bottom part shows the script with transformed operators for\r\nbetter readability.\r\nOlder distribution \u0026 execution techniques\r\nWe observed Vadokrist, like most other Latin American banking trojans, using several implementations of the\r\ntypical distribution chain. We won’t cover all of them, but two are worth mentioning. We have seen Vadokrist\r\nsharing a Delphi downloader with Grandoreiro and a whole distribution chain with Mekotio – in fact, the one\r\nmarked as Chain 1 in our blogpost about Mekotio.\r\nVadokrist occasionally relies on DLL side-loading with a specific injector to decrypt and execute the banking\r\ntrojan. This injector is identical to the one used by Amavaldo and implements the aforementioned TripleKey\r\nalgorithm for data decryption.\r\nRemote configuration\r\nVadokrist utilizes remote configuration both in downloaders and the actual banking trojan, usually hosted on\r\npublic storage services such as GitHub.\r\nThe configuration file is usually encrypted, either by TripleKey or RC4. In Figure 5, you can see that in both cases\r\nthe data can be decrypted without any additional knowledge – in the case of the TripleKey method, we can extract\r\nall three keys from the end of the string and in the case of RC4, we can derive the key from the password. In the\r\ncase of the latter, the encrypted data is further encoded by base64.\r\nThe delimiter also changes from time to time. So far, we have seen three different characters used: “|”, “!” and “/”.\r\nhttps://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/\r\nPage 6 of 11\n\nFigure 5. Encrypted remote configuration files used by Vadokrist\r\nNow that we know how to decrypt the configuration file, let’s examine its contents. In the case of the banking\r\ntrojan, the result is easy to understand, as it is the IP address of a C\u0026C server. For downloaders, the format is a bit\r\nmore complex, as illustrated in Figure 6.\r\nFigure 6. Different formats of remote configuration used by Vadokrist downloaders\r\nTo simplify, we recognize a configuration with an optional ID and six fields:\r\n[mandatory] The URL to download the banking trojan from\r\n[optional] Special folder (first part of the installation path)\r\n[optional] Installation flag (described below)\r\n[optional] Path (second part of the installation path)\r\n[optional] Filename (third and final part of the installation path)\r\n[mandatory] Notification URL\r\nTwo of these fields may require further explanation. If the installation flag is set to “T”, all three parts of the\r\ninstallation path will be used; otherwise the first one will be ignored. The only thing that is sent to the notification\r\nURL is whether an application Core.exe is running – a check familiar from other Latin American banking trojans\r\nthat try to detect the presence of anti-fraud software Warsaw GAS Tecnologia.\r\nYou can see that the first variant uses all the fields, the second one does not use the ID, and the third one only uses\r\nthe two mandatory URL fields. The delimiter usage here is a bit more complex, as one delimiter is used to\r\nseparate different entries and a different one to separate fields of an entry. Additionally, you can see that the\r\ndelimiters change here as well.\r\nhttps://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/\r\nPage 7 of 11\n\nThe dynamically changing format of the configuration file indicates Vadokrist is under active and continuous\r\ndevelopment.\r\nConclusion\r\nIn this blogpost, we have dissected Vadokrist, a Latin American banking trojan that is focused on Brazil. We have\r\nshown that it has typical characteristics of a Latin American banking trojan – it is written in Delphi, offers\r\nbackdoor functionality and targets financial institutions. Its main deviation from the typical implementation is that\r\nit does not collect information about victims right after successfully compromising their machines.\r\nWe have covered its encryption schemes, distribution and execution methods and remote configuration formats.\r\nVadokrist seems to be connected to Amavaldo, Casbaneiro, Grandoreiro and Mekotio, other Latin American\r\nbanking trojans described earlier in our series.\r\nFor any inquiries, contact us at threatintel@eset.com. Indicators of Compromise can also be found in our GitHub\r\nrepository.\r\nIndicators of Compromise (IoCs)\r\nHashes\r\nCampaign “MSI overload”\r\nSHA-1 Description ESET detection name\r\nD8C6DDACC42645DF0F760489C5A4C3AA686998A1\r\nMSI\r\ninstaller\r\nJS/TrojanDownloader.Banload.ABD\r\n01ECACF490F303891118893242F5600EF9154184 MSI loader Win32/Spy.Vadokrist.T\r\nF81A58C11AF26BDAFAC1EB2DD1D468C5A80F8F28\r\nVadokrist\r\nbanking\r\ntrojan\r\nWin32/Spy.Vadokrist.T\r\nOther\r\nSHA-1 Description ESET detection name\r\n8D7E133530E4CCECE9CD4FD8C544E0913D26FE4B\r\nVadokrist\r\nbanking\r\ntrojan\r\nWin32/Spy.Vadokrist.AF\r\nAD4289E61642A4A724C9F44356540DF76A35B741\r\nVadokrist\r\nbanking\r\ntrojan\r\nWin32/Spy.Vadokrist.T\r\nhttps://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/\r\nPage 8 of 11\n\nSHA-1 Description ESET detection name\r\nBD71A9D09F7E445BE5ACDF412657C8CFCE0F717D\r\nVadokrist\r\nbanking\r\ntrojan\r\nWin32/Spy.Vadokrist.AD\r\n06C0A039DEDBEF4B9013F8A35AACD7F33CD47524\r\nDownloader\r\n(MSI/JS)\r\nJS/TrojanDownloader.Banload.AAO\r\nFADA4C27B78DDE798F1E917F82226B983C5B74D8\r\nDownloader\r\n(Delphi)\r\nWin32/Spy.Vadokrist.Y\r\n525FCAA13E3867B58E442B4B1B612664AFB5A5C0\r\nInjector\r\nshared with\r\nAmavaldo\r\nWin32/Spy.Amavaldo.L\r\nRecent C\u0026C servers\r\n104.41.26[.]216\r\n104.41.41[.]216\r\n104.41.47[.]53\r\n191.232.212[.]242\r\n191.232.243[.]100\r\n191.235.78[.]249\r\n191.237.255[.]155\r\n191.239.244[.]141\r\n191.239.245[.]87\r\n191.239.255[.]102\r\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 8 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001 Acquire Infrastructure: Domains\r\nVadokrist registers its own domains\r\nto be used as C\u0026C servers.\r\nT1587.001 Develop Capabilities: Malware\r\nVadokrist is operated by the same\r\ngroup that develops it.\r\nInitial Access T1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nVadokrist is distributed as a spam\r\nattachment.\r\nExecution\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nVadokrist uses PowerShell in some\r\ndistribution chains.\r\nhttps://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/\r\nPage 9 of 11\n\nTactic ID Name Description\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nVadokrist uses VBScript in some\r\ndistribution chains.\r\nT1059.007\r\nCommand and Scripting\r\nInterpreter: JavaScript/JScript\r\nVadokrist uses JavaScript in its\r\nrecent distribution chains.\r\nT1204.002 User Execution: Malicious File\r\nVadokrist relies on the user to\r\nexecute the malicious binary.\r\nPersistence T1547.001\r\nBoot or Logon Autostart Execution:\r\nRegistry Run Keys / Startup Folder\r\nVadokrist ensures persistence via\r\nRun key or LNK file in the startup\r\nfolder.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nVadokrist is often distributed\r\nencrypted and encrypts its remote\r\nconfiguration.\r\nT1574.002\r\nHijack Execution Flow: DLL Side-LoadingVadokrist is sometimes executed by\r\nthis technique.\r\nT1036.005\r\nMasquerading: Match Legitimate\r\nName or Location\r\nVadokrist masquerades as\r\nlegitimate software.\r\nT1218.007\r\nSigned Binary Proxy Execution:\r\nMsiexec\r\nVadokrist uses the MSI format for\r\nexecution.\r\nCredential\r\nAccess\r\nT1056.001 Input Capture: Keylogging Vadokrist can capture keystrokes.\r\nDiscovery\r\nT1010 Application Window Discovery\r\nVadokrist looks for bank-related\r\nwindows based on their names.\r\nT1057 Process Discovery\r\nVadokrist tries to discover anti-fraud software by process name.\r\nT1082 System Information Discovery\r\nVadokrist discovers victim’s\r\nusername.\r\nT1113 Screen Capture Vadokrist can take screenshots.\r\nCommand and\r\nControl\r\nT1132.002\r\nData Encoding: Non-Standard\r\nEncoding\r\nVadokrist communicates via a\r\ncustom protocol encrypted with the\r\nTripleKey algorithm.\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nVadokrist exfiltrates data via C\u0026C\r\nserver.\r\nhttps://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/\r\nPage 10 of 11\n\nSource: https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/\r\nhttps://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/"
	],
	"report_names": [
		"vadokrist-wolf-sheeps-clothing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434232,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a4eb658a67a46eedf16b1c8e93b28ce86452ed3a.pdf",
		"text": "https://archive.orkl.eu/a4eb658a67a46eedf16b1c8e93b28ce86452ed3a.txt",
		"img": "https://archive.orkl.eu/a4eb658a67a46eedf16b1c8e93b28ce86452ed3a.jpg"
	}
}