⚠️ Overview

Javali is a remote access trojan (RAT) first documented in September 2022 by researchers at Zscaler and Fortinet, believed to be operated by a Brazilian criminal group known as "Javali Gang" targeting Portuguese-speaking users. It is categorized as a stealer and backdoor, often deployed in phishing campaigns against banking and e-commerce platforms.

🔧 Technical Capabilities

Javali uses dynamic-link library (DLL) sideloading via a legitimate signed executable to load its malicious payload, evading static detection. It employs cryptographic techniques including XOR and AES for C2 communication, using HTTPS with custom User-Agent strings to blend with normal traffic. The trojan harvests credentials from browsers, steals cryptocurrency wallet files, and captures keystrokes and clipboard data. It maintains persistence through Windows Registry Run keys and scheduled tasks, and can download additional modules. Evasion includes anti-debugging checks via IsDebuggerPresent and process hollowing to inject into legitimate processes like svchost.exe.

📜 History & Notable Incidents

The Javali malware first appeared in mid-2022, with active campaigns targeting Brazilian financial institutions and e-commerce sites via spear-phishing emails containing malicious LNK or ISO files. No high-profile victim was publicly named, but the group is linked to a batch of over 100 compromised bank accounts by early 2023. The malware exploits CVE-2022-30190 (Follina) in Microsoft Office for initial delivery. No known law enforcement action has been reported as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 3c8b5a1e... (reported in Zscaler's analysis). Behavioral indicators include creation of scheduled task named "JavaUpdateTask" and registry key "HKCUSoftwareMicrosoftWindowsCurrentVersionRunJavaliService". Network IOCs include C2 domains ending in .com.br and .xyz, contacting IPs from Brazilian ASNs. The malware uses User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36".

☠️ Risk & Impact

Javali poses high risk for credential theft, data exfiltration, and financial loss, primarily targeting the banking and e-commerce sectors in Brazil and Portugal. It can exfiltrate sensitive customer data and session cookies, enabling account takeover. The malware's modular payloads have been associated with ransomware deployments in limited cases, increasing the potential for operational disruption.

🛡️ Mitigation

Mitigation involves blocking known C2 domains via firewall and DNS, enabling Microsoft Defender for Office 365 anti-phishing policies, and deploying EDR solutions with YARA rules for Javali-specific patterns. Users should apply patches for CVE-2022-30190 and disable macro execution in Office. Regular credential rotation and multi-factor authentication reduce account takeover impact. Reference: Zscaler ThreatLabz report (Sept 2022).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.