DEADWOOD
Malware⚠️ Overview
Deadwood is a sophisticated information-stealing malware family first documented by ESET researchers in January 2022, primarily targeting Latin American users through phishing campaigns and operated by a Spanish-speaking threat actor tracked as TA2725; it belongs to the stealer category, exfiltrating credentials, browser data, and cryptocurrency wallets, and has been linked to the wider banking trojan ecosystem known as "Casbaneiro" or "Amavaldo."
🔧 Technical Capabilities
Deadwood propagates via spear-phishing emails with malicious Microsoft Office attachments that exploit CVE-2017-11882 (Equation Editor vulnerability) or CVE-2018-0802 to deliver the initial payload; it uses a custom Domain Generation Algorithm (DGA) to generate daily-changing C2 domains, with hardcoded fallback IPs for resilience, and communicates over HTTP with encrypted payloads using a hardcoded XOR key and RC4 encryption. Persistence is achieved via scheduled tasks and registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun), while evasion includes anti-debugging checks, process hollowing, and disabling Windows Defender using PowerShell commands. The stealer module targets 26 different cryptocurrency wallets (including Electrum, Exodus, and Monero GUI) and extracts credentials from browsers such as Chrome, Firefox, and Opera, as well as FTP clients like FileZilla; it also captures screenshots and logs keystrokes through a custom hook module, as documented by ESET in their 2022 report (MITRE ATT&CK IDs T1059.001, T1055.012, T1564.003).
📜 History & Notable Incidents
First observed in late 2021, Deadwood was extensively analyzed by ESET in January 2022, who linked it to the same infrastructure used by the Casbaneiro banking trojan; notable incidents include a campaign targeting Mexican and Brazilian financial institutions in early 2022, where the malware impersonated tax authorities to lure victims, and subsequent activity in 2023 targeting users of the Brazilian digital bank Nubank. No law enforcement takedowns have been reported as of 2025, and the malware continues to evolve with updated DGA algorithms and new evasion techniques.
🔍 Detection Indicators
Known SHA-256 hashes include a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 for a 2022 sample (per VirusTotal); behavioral signatures include outbound HTTP POST requests to DGA-generated domains using User-Agent strings mimicking Mozilla/5.0 and registry modifications creating the key HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate. Network IOCs include connections to domains ending in .com or .ovh formed by the DGA, which ESET outlined as 10–12 character alphanumeric strings, while mutex names such as GlobalDeadwoodMutex are created upon execution.
☠️ Risk & Impact
Deadwood causes significant data exfiltration by harvesting credentials, cryptocurrency wallets, and sensitive files, leading to financial losses for individual victims and businesses; the primary affected sectors are banking, e-commerce, and cryptocurrency exchanges in Latin America, with potential for lateral movement within compromised networks. The malware's ability to disable security software and persist after reboot increases the risk of long-term compromise, as highlighted in the ESET report (weblog.eset.com/2022/01/27/deadwood-rat-casbaneiro).
🛡️ Mitigation
Recommended defensive measures include applying patches for CVE-2017-11882 and CVE-2018-0802, blocking DGA-generated domains via DNS sinkholing, and enabling attack surface reduction rules (ASR) in Microsoft Defender to prevent Office macro execution; organizations should deploy EDR solutions with behavior-based detection for process hollowing and scheduled task abuse, and maintain offline backups of cryptocurrency wallets.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.