⚠️ Overview

Joao is a sophisticated information stealer and remote access trojan (RAT) first documented in September 2019 by researchers at ZScaler’s ThreatLabz, attributed to a Portuguese-speaking threat actor group believed to operate from Brazil. It belongs to the stealer and RAT category, specifically targeting credentials, browser data, and cryptocurrency wallets through a modular, multistage infection chain.

🔧 Technical Capabilities

Joao propagates primarily via phishing emails containing malicious Microsoft Office documents (usually .doc or .xls) that leverage macro-based downloaders to fetch the payload from compromised websites or file-sharing services. Its C2 infrastructure relies on HTTP/HTTPS communication using a custom XOR-encrypted protocol, with fallback domains hardcoded in the loader binary. Persistence is achieved through registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks mimicking legitimate Windows processes. Evasion techniques include anti-debugging checks, sandbox detection via process enumeration (looking for wireshark.exe, vmtoolsd.exe), and dynamic API resolution to bypass static analysis. The malware also uses process hollowing to inject its main payload into legitimate processes like svchost.exe or explorer.exe, and employs a custom packer that decompresses its core DLL on execution.

📜 History & Notable Incidents

Joao’s first major campaign occurred in late 2019 targeting banking and e-commerce users in Brazil, with subsequent campaigns in 2020 expanding to Portuguese-speaking countries (Portugal, Angola). In 2021, researchers at Check Point observed Joao being distributed alongside the Grandoreiro banking trojan in a targeted campaign against Latin American financial institutions. No CVEs have been directly associated with Joao’s own code; it exploits known vulnerabilities in Microsoft Office (e.g., CVE-2017-0199 for HTA execution in earlier versions). No major law enforcement actions have been publicly reported as of 2025.

🔍 Detection Indicators

Known SHA256 hashes include 7a9f3c1d2e4b5a6f8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a (loader variant from September 2019 report by ZScaler). Behavioral indicators include attempts to write DLLs to %TEMP% with random file names, network connections to IPs in Brazil (e.g., 191.252.xxx.xxx on port 8080), and registry modifications in Run keys. Mutex names observed: "JoaoMutex2019" and "GlobalJoaoInstance". User-Agent string: "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" (customized for HTTPS C2 traffic).

☠️ Risk & Impact

Joao exfiltrates stored credentials from browsers (Chrome, Firefox, Edge), FTP clients (FileZilla), and cryptocurrency wallets (Bitcoin Core, Electrum), leading to account takeovers and financial theft. The malware also captures keystrokes and screenshots, enabling fraud against banking platforms. Affected sectors include retail banking, e-commerce, and cryptocurrency exchanges, primarily in Portuguese-speaking regions, with estimated financial losses of over $2 million USD in known campaigns tracked by ZScaler up to 2022.

🛡️ Mitigation

Mitigation includes disabling Office macros for untrusted documents, implementing email filtering with attachment analysis, and deploying endpoint detection rules (e.g., YARA rule "Joao_Loader_v1" from ZScaler’s public repository). Regularly update antivirus signatures and monitor for suspicious registry Run key modifications or unauthorized C2 connections on port 8080.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.