Brazil is Still the Main Target of the “Guildma” Banking Trojan

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

ESET places “Guildma” under the microscope, warning Brazilian internet users of the dangers that come with the popular banking Trojan. The telemetry of the analysts indicates that Guildma, which is also known as “Astaroth”, is probably the most impactful malware of its kind in the area, targeting financial institutions, stealing people’s credentials and email accounts, causing trouble to streaming platforms, grabbing payment data from e-shops, and generally having a widespread presence on the Brazilian cyberspace. In comparison to other Trojans, Guildma is very innovative and sophisticated and counts ten times more victims than the next most successful malware in Latin America.

Guildma is a modular malware that currently consists of ten individual modules. Its main functions include the following:

infection chain

Source: We Live Security

The main channel of distribution for Guildma is through spam emails that carry malicious attachments, and this has been the case for over a year now. The emails purportedly come from financial institutions, the Department of Finance, or they just call the user to open the attachment to access revealing images. The actors are rotating their distribution techniques, so as to trick the recipients and maintain a certain variety.

spam mail

Source: We Live Security

The first signs of Guildma’s activity were captured by ESET in October 2018, while spikes in its deployment occurred during the summer of 2019, December 2019, and January 2020. Of course, the actors are still using the Trojan extensively, and at the same time, they are updating it with notable dedication. The latest version number “152” came out today, while 151 was released in January and 150 in December.

infection rates

Source: We Live Security

Back in version 138, the developers of Guildma had experimented by adding support to target international banks. However, no campaigns of this kind were recorded by ESET or other researchers, and the particular functionality was scrapped with version 145. Guildma remains focused in the Brazilian market, and all entities in the Latin American country are advised to be very careful. Right now, most AV solutions will identify and flag Guildma's modules, as it shares common components with other known malware strains like the Casbaneiro and Mispadu.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: