{
	"id": "323a7a44-ce63-4b25-bd64-6522b4728cfa",
	"created_at": "2026-04-06T00:10:35.751262Z",
	"updated_at": "2026-04-10T03:22:12.708482Z",
	"deleted_at": null,
	"sha1_hash": "ad0892f6327e7581dff1b6b0ba300ad5e5083092",
	"title": "The dirty dozen of Latin America: From Amavaldo to Zumanek",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 604523,
	"plain_text": "The dirty dozen of Latin America: From Amavaldo to Zumanek\r\nBy ESET Research\r\nArchived: 2026-04-05 14:08:02 UTC\r\nESET started this blogpost series dedicated to demystifying Latin American banking trojans in August 2019. Since\r\nthen, we have covered the most active ones, namely Amavaldo, Casbaneiro, Mispadu, Guildma, Grandoreiro,\r\nMekotio, Vadokrist, Ousaban and Numando. Latin American banking trojans share a lot of common characteristics\r\nand behavior – a topic ESET has dedicated a white paper to. Therefore, in the series, we have focused on the unique\r\nfeatures of each malware family to help distinguish one from the other.\r\nKey takeaways\r\nLatin American banking trojans are an ongoing, evolving threat\r\nThey target mainly Brazil, Spain, and Mexico\r\nThere are at least eight different malware families still active at the time of this writing\r\nThree families went dormant during the course of this series so did not get their own blogpost, but we briefly\r\ndescribe their main features here\r\nThe vast majority are distributed via spam, usually leading to a ZIP archive or an MSI installer\r\nCurrent state\r\nBesides Amavaldo, which became dormant around November 2020, all the other families remain active to this day.\r\nBrazil is still the most targeted country, followed by Spain and Mexico (see Figure 1). Since 2020, Grandoreiro and\r\nMekotio expanded to Europe – mainly Spain. What started as several minor campaigns, likely to test the new\r\nterritory, evolved into something much grander. In fact, in August and September 2021, Grandoreiro launched its\r\nlargest campaign so far and it targeted Spain (see Figure 2).\r\nThe other instalments of our series on Latin American banking trojans:\r\nFrom Carnaval to Cinco de Mayo – The journey of Amavaldo\r\nCasbaneiro: Dangerous cooking with a secret ingredient\r\nMispadu: Advertisement for a discounted Unhappy Meal\r\nGuildma: The Devil drives electric\r\nGrandoreiro: How engorged can an EXE get?\r\nMekotio: These aren’t the security updates you’re looking for…\r\nVadokrist: A wolf in sheep’s clothing\r\nOusaban: Private photo collection hidden in a CABinet\r\nNumando: Count once, code twice\r\nhttps://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/\r\nPage 1 of 10\n\nFigure 1. Top three countries most affected by Latin American banking trojans\r\nFigure 2. LATAM banking trojan activity in Spain\r\nWhile Grandoreiro remains dominant in Spain, Ousaban and Casbaneiro dominated Brazil in the latest months, as\r\nillustrated by Figure 3. Mispadu seems to have shifted its focus almost exclusively to Mexico, occasionally\r\naccompanied by Casbaneiro and Grandoreiro, as seen in Figure 4.\r\nhttps://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/\r\nPage 2 of 10\n\nFigure 3. LATAM banking trojan activity in Brazil\r\nFigure 4. LATAM banking trojan activity in Mexico\r\nLatin American banking trojans used to change rapidly. In the early days of our tracking, some of them were adding\r\nto or modifying their core features several times a month. Nowadays they still change very often, but the core seems\r\nto remain mostly untouched. Due to the partially stabilized development, we believe the operators are now focusing\r\non improving distribution.\r\nThe campaigns we see always come in waves and more than 90% of them are distributed through spam. One\r\ncampaign usually lasts for a week at most. In Q3 and Q4 2021, we have seen Grandoreiro, Ousaban and Casbaneiro\r\nincreasing their reach enormously compared to their previous activity, as illustrated in Figure 5.\r\nhttps://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/\r\nPage 3 of 10\n\nFigure 5. LATAM banking trojan activity worldwide\r\nImpact\r\nLatin American banking trojans require a lot of conditions to attack successfully:\r\nPotential victims need to follow steps required to install the malware on their machines\r\nVictims need to visit a targeted website and log into their accounts\r\nOperators need to react to this situation and manually command the malware to display the fake pop-up\r\nwindow and take control of the victim’s machine\r\nVictims need to not suspect malicious activity and possibly even enter an authentication code in the case of\r\n2FA\r\nThat said, it is hard to estimate the impact of these banking trojans just based on telemetry. However, in June this\r\nyear, we were able to get a picture when Spanish law enforcement arrested 16 people related to Mekotio and\r\nGrandoreiro.\r\nIn the report, police state that almost €300,000 were stolen and they were able to block the transfer of a total of €3.5\r\nmillion. Correlating this arrest with Figure 2, we see that Mekotio seems to have taken a much larger hit than\r\nGrandoreiro, leading us to believe that the arrested people were more connected to Mekotio. Even though Mekotio\r\nwent very quiet for almost two months after the arrest, ESET continues to see new campaigns distributing Mekotio at\r\nthe time of writing.\r\nFor reference purposes, back in 2018, Brazilian police forces arrested a criminal behind another banking trojan in\r\nwhat was called Operation Ostentation. They estimated that he had been able to steal approximately US$400 million\r\nfrom victims in Brazil.\r\nFamilies we didn’t cover\r\nDuring the course of our series, several Latin American banking trojans became inactive. While we had planned to\r\ndedicate separate pieces to them, since they have been inactive for over a year now, we will just briefly mention them\r\nhttps://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/\r\nPage 4 of 10\n\nin the sections below. We also provide IoCs for them at the end of this blogpost.\r\nKrachulka\r\nThis malware family was active in Brazil until the middle of 2019. Its most noticeable characteristic was its usage of\r\nwell-known cryptographic methods to encrypt strings, as opposed to the majority of Latin American banking trojans\r\nthat mainly use custom encryption schemes, some of which are shared across these families. We have observed\r\nKrachulka variants using AES, RC2, RC4, 3DES and a slightly customized variant of Salsa20.\r\nKrachulka, despite being written in Delphi like most other Latin American banking trojans, was distributed by a\r\ndownloader written in the Go programming language – another unique characteristic among this kind of banking\r\nmalware (see Figure 6).\r\nFigure 6. Krachulka downloader written in Go\r\nLokorrito\r\nThis malware family was active mainly in Mexico until the beginning of 2020. We were able to identify additional\r\nbuilds, each dedicated to target a different country – Brazil, Chile and Colombia.\r\nThe most identifying feature of Lokorrito is its usage of a custom User-Agent string in network communication (see\r\nFigure 7). We have observed two values – LA CONCHA DE TU MADRE and 4RR0B4R 4 X0T4 D4 TU4 M4E, both\r\nquite vulgar expressions in Spanish and Portuguese, respectively.\r\nhttps://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/\r\nPage 5 of 10\n\nFigure 7. Lokorrito User-Agent\r\nWe have identified several additional Lokorrito-related modules. First, a backdoor, which basically functions like a\r\nsimplified version of the banking trojan without the support for fake overlay windows. We believe it was installed in\r\nsome Lokorrito campaigns first and, only if the attacker saw fit, it was updated to the actual banking trojan. Then, a\r\nspam tool, which generates spam emails distributing Lokorrito and sending them to further potential victims. The tool\r\ngenerated the emails based on both hardcoded data and data obtained from a C\u0026C server. Finally, we identified a\r\nsimple infostealer designed to steal the victim’s Outlook address book and a password stealer intended to harvest\r\nOutlook and FileZilla credentials.\r\nZumanek\r\nThis malware family was active exclusively in Brazil until the middle of 2020. It was the first Latin American\r\nbanking trojan malware family ESET identified. In fact, ESET analyzed one variant in 2018 here (in Portuguese).\r\nZumanek is identified by its method for obfuscating strings. It creates a function for each character of the alphabet\r\nand then concatenates the result of calling the correct functions in sequence, as illustrated in Figure 8.\r\nhttps://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/\r\nPage 6 of 10\n\nFigure 8. Zumanek string obfuscation technique\r\nInterestingly, Zumanek never utilized any complicated payload execution methods. Its downloaders simply\r\ndownloaded a ZIP archive containing only the banking trojan executable, usually named drive2. The executable was\r\nvery often protected by either the VMProtect or Armadillo packer.\r\nWe think with low confidence that Ousaban may actually be the successor of Zumanek. Even though the two malware\r\nfamilies don’t seem to share any code similarities, their remote configuration format uses very similar delimiters (see\r\nFigure 9). Additionally, we have observed several servers used by Ousaban that looked very much like those used by\r\nZumanek in the past.\r\nFigure 9. Similarities between Zumanek and Ousaban remote configuration formats\r\nThe future\r\nhttps://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/\r\nPage 7 of 10\n\nSince Latin American banking trojans expanded to Europe, they have been getting more attention from both\r\nresearchers and police forces. In the latest months, we’ve seen some of their biggest campaigns to date.\r\nESET researchers also discovered Janeleiro, a Latin American banking trojan written in .NET. Additionally, we may\r\nsee some of these banking trojans expanding to the Android platform. In fact, one such banking trojan, Ghimob, has\r\nalready been attributed to the threat actor behind Guildma. However, since we continue to see the developers actively\r\nimproving their Delphi binaries, we believe they will not just abandon their current arsenal.\r\nEven though many Latin American banking trojans are somewhat cumbersome and overcomplicated in their\r\nimplementation, they represent a different approach to attacking victims’ bank accounts. Opposed to the most\r\nnotorious banking trojans of the recent past, they don’t inject the web browser, nor do they need to find ways to\r\nwebinject a certain banking website. Instead, they design a pop-up window – likely a much faster and easier process.\r\nThe threat actors already have templates at their disposal that they easily modify for different financial institutions\r\n(see Figure 10). That is their main advantage.\r\nFigure 10. Fake overlay window templates\r\nThe main disadvantage is that there is very little to no automation in the attack process – without active participation\r\nof the attacker, the banking trojan will do almost no harm. Whether some new kind of malware will try to automate\r\nthis approach remains a question for the future.\r\nConclusion\r\nIn our series, we have presented the most active Latin American banking trojans of the past few years. We have\r\nidentified a dozen different malware families, most of which remain active at the time of this writing. We have\r\nhttps://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/\r\nPage 8 of 10\n\nidentified their unique features as well as their many commonalities.\r\nThe most significant discovery during the course of our series is likely the expansion of Mekotio and Grandoreiro to\r\nEurope. Besides Spain, we’ve observed occasional small campaigns targeting Italy, France and Belgium. We believe\r\nthese banking trojans will continue to test new territories for future expansion.\r\nOur telemetry shows a surprisingly large increase in the reach of Ousaban, Grandoreiro and Casbaneiro in recent\r\nmonths, leading us to conclude the threat actors behind these malware families are determined to continue their\r\nnefarious actions against users in targeted countries. ESET will continue to track these banking trojans and keep users\r\nsafe from these threats.\r\nFor any inquiries, contact us as threatintel@eset.com. Indicators of Compromise for all the mentioned malware\r\nfamilies can also be found on our GitHub repository.\r\nIndicators of Compromise (IoCs)\r\nHashes\r\nKrachulka\r\nSHA-1 Description ESET detection name\r\n83BCD611F0FD4D7D06C709BC5E26EB7D4CDF8D01\r\nKrachulka\r\nbanking\r\ntrojan\r\nWin32/Spy.Krachulka.C\r\nFFE131ADD40628B5CF82EC4655518D47D2AB7A28\r\nKrachulka\r\nbanking\r\ntrojan\r\nWin32/Spy.Krachulka.C\r\n4484CE3014627F8E2BB7129632D5A011CF0E9A2A\r\nKrachulka\r\nbanking\r\ntrojan\r\nWin32/Spy.Krachulka.A\r\n20116A5F01439F669FD4BF77AFEB7EFE6B2175F3\r\nKrachulka\r\nGo\r\ndownloader\r\nWin32/TrojanDownloader.Banload.YJA\r\nLokorrito\r\nSHA-1 Description ESET detection name\r\n4249AA03E0F5142821DB2F1A769F3FE3DB63BE54\r\nLokorrito banking\r\ntrojan\r\nWin32/Spy.Lokorrito.L\r\nD30F968741D4023CD8DAF716C78510C99A532627\r\nLokorrito banking\r\ntrojan\r\nWin32/Spy.Lokorrito.A\r\nhttps://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/\r\nPage 9 of 10\n\nSHA-1 Description ESET detection name\r\n6837d826fbff3d81b0def4282d306df2ef59e14a\r\nLokorrito banking\r\ntrojan\r\nWin32/Spy.Lokorrito.L\r\n2F8F70220A9ABDCAA0868D274448A9A5819A3EBC\r\nLokorrito\r\nbackdoor module\r\nWin32/Spy.Lokorrito.S\r\n0066035B7191ABB4DEEF99928C5ED4E232428A0D\r\nLokorrito\r\nbackdoor module\r\nWin32/Spy.Lokorrito.R\r\nB29BB5DB1237A3D74F9E88FE228BE5A463E2DFA4\r\nLokorrito\r\nbackdoor module\r\nWin32/Spy.Lokorrito.M\r\n119DC4233DF7B6A44DEC964A084F447553FACA46 Spam tool Win32/SpamTool.Agent.NGO\r\n16C877179ADC8D5BFD516B5C42BF9D0809BD0BAE Password stealer Win32/Spy.Banker.ADVQ\r\n072932392CC0C2913840F494380EA21A8257262C\r\nOutlook\r\ninfostealer\r\nWin32/Spy.Agent.PSN\r\nZumanek\r\nSHA-1 Description ESET detection name\r\n69FD64C9E8638E463294D42B7C0EFE249D29C27E Zumanek banking trojan Win32/Spy.Zumanek.DO\r\n59C955C227B83413B4BDF01F7D4090D249408DF2 Zumanek banking trojan Win32/Spy.Zumanek.DK\r\n4E49D878B13E475286C59917CC63DB1FA3341C78 Zumanek banking trojan Win32/Spy.Zumanek.DK\r\n2850B7A4E6695B89B81F1F891A48A3D34EF18636\r\nZumanek downloader\r\n(MSI)\r\nWin32/Spy.Zumanek.DN\r\nC936C3A661503BD9813CB48AD725A99173626AAE\r\nZumanek downloader\r\n(MSI)\r\nWin32/Spy.Zumanek.DM\r\nMITRE ATT\u0026CK techniques\r\nWe have created a MITRE ATT\u0026CK table showing a comparison of the techniques used by the Latin American\r\nbanking trojans featured in this series. It was released as part of our white paper dedicated to examining the many\r\nsimilarities between these banking trojans and can be found here.\r\nSource: https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/\r\nhttps://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/"
	],
	"report_names": [
		"dirty-dozen-latin-america-amavaldo-zumanek"
	],
	"threat_actors": [],
	"ts_created_at": 1775434235,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ad0892f6327e7581dff1b6b0ba300ad5e5083092.pdf",
		"text": "https://archive.orkl.eu/ad0892f6327e7581dff1b6b0ba300ad5e5083092.txt",
		"img": "https://archive.orkl.eu/ad0892f6327e7581dff1b6b0ba300ad5e5083092.jpg"
	}
}