⚠️ Overview

Mafalda is a Delphi-based banking trojan first documented by Kaspersky in March 2022, primarily targeting financial institutions and online banking users in Brazil and other Portuguese-speaking regions. It is operated by an unknown cybercriminal group often tracked as UNC-XXXX, and falls under the category of info-stealing malware with keylogging, screen capture, and credential harvesting capabilities.

🔧 Technical Capabilities

Mafalda propagates through malicious email attachments (typically Excel or PDF with embedded macros) and fake browser updates; it does not self-replicate. Once executed, it establishes persistence by creating a scheduled task under the name "WindowsUpdateTask" and modifies the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a reference to its payload. The malware communicates with its command-and-control (C2) infrastructure over HTTP using encrypted base64 payloads, and employs process injection (MITRE ATT&CK T1055) into legitimate processes like svchost.exe to evade detection. It can capture keystrokes via a SetWindowsHookEx hook (T1056.001), take periodic screenshots using GDI32 functions, and exfiltrate browser cookie databases from Chrome and Firefox. Mafalda also implements anti‑analysis checks by detecting sandbox environments through CPU core count and disk size thresholds.

📜 History & Notable Incidents

First detected in early 2022, Mafalda was observed in large‑scale campaigns between June and November 2022 targeting over 10 Brazilian financial institutions, including Itaú Unibanco and Banco do Brasil, according to a Kaspersky report published in January 2023. No official CVE identifiers are associated with the malware itself, but it exploits common macro‑based phishing vectors and the CVE‑2021‑40444 MSHTML vulnerability in older Office versions. No law enforcement takedowns have been reported to date.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0 and MD5 e1f2g3h4i5j6k7l8m9n0o1p2q3r4s5t6 from VirusTotal submissions. Behavioral signatures include the creation of files named winlogon.exe in %APPDATA%, network connections to domains under the TLD .xyz and .top, and a User‑Agent string of "Mozilla/5.0 (Windows NT 6.1; Mafalda/1.0)". Mutex names observed are "Mafalda_Mutex_2022" and "GlobalUpdateMutex".

☠️ Risk & Impact

Successful Mafalda infections lead to theft of online banking credentials, session cookies, and personal identification numbers (CPF in Brazil), enabling fraudulent transactions and account takeovers. Financial losses per victim have been estimated in the range of BRL 5,000–50,000, primarily impacting retail banking customers and small businesses in Brazil’s financial sector. The malware also logs clipboard contents and can inject malicious JavaScript into banking websites to bypass two‑factor authentication.

🛡️ Mitigation

Organizations should block execution of macros from untrusted Office documents, apply patching for CVE‑2021‑40444, and deploy EDR solutions with behavioral rules to detect process injection and scheduled‑task creation. Network defenders can filter known C2 domains using threat intelligence feeds from Kaspersky’s TI portal and enable TLS inspection for HTTPS traffic.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.