Javali

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Javali is a multistage malware that has been active since November 2017, primarily targeting customers of financial institutions in Portuguese- and Spanish-speaking countries, with a particular focus on Brazil and Mexico. Part of a group of banking trojans including Guildma, Melcoz, and Grandoreiro, Javali is an example of a Brazilian banking operation expanding its attacks abroad. It distributes its initial payload via phishing emails, either as an attachment or a link to a website, and uses allowlisted and signed binaries, Microsoft Installer files, and DLL hijacking to infect victims en masse, all while specifically targeting by country. On February 26, 2024, cybersecurity researchers warned about a spike in email phishing campaigns weaponizing the Google Cloud Run service to deliver various banking trojans such as Astaroth (aka Guildma), Mekotio, and Ousaban (aka Javali) across Latin America and Europe. Notably, the Grandoreiro malware family, which includes strains like Javali, Casabeniero, Mekotio, and Grandoreiro itself, has been active for years. These malware families share a lineage: a Delphi-based ancestor from which source code components have been passed down and modified through generations. The widespread success of these malware attacks can be attributed to a lack of user awareness around phishing and malware threats, resulting in a higher number of victims who unknowingly click and are affected. As the general population becomes more upwardly mobile, there's an increase in opportunities to victimize a larger pool of people. Javali, along with other malware variants, has been successful in evading detection by using modular installers and adopting third-party libraries like IndyProject for communication with the C2. After deobfuscation, Javali was found to be specifically looking for Mexican bank customers.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Grandoreiro	4	Grandoreiro is a malicious software (malware) that forms part of a Brazilian banking operation targeting banks worldwide. This malware, along with Guildma, Javali, and Melcoz, represents an expanding threat from Brazil that has begun to impact other countries. Grandoreiro infiltrates systems through
Ousaban	1	Ousaban is a malicious software, or malware, specifically a banking trojan developed primarily in Delphi. This harmful program is designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites without the user's knowledge. Once inside, Ousaban

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Phishing

Payload

Banking

Europe

Google

Trojan

Brazil

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Astaroth	Unspecified	1	Astaroth, a malicious software (malware), has been identified as a significant threat due to its highly developed evasive skills and information stealing capabilities. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it
Melcoz	Unspecified	1	None
Mispadu	Unspecified	1	Mispadu is a malicious software (malware) that has been used to exploit and damage computer systems, often infiltrating the system through suspicious downloads, emails, or websites. It was first uncovered by Eset in 2019, who detailed its theft of money and credentials from Spanish- and Portuguese-s

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Javali Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	5 months ago	Banking Trojans Target Latin America and Europe Through Google Cloud Run
InfoSecurity-magazine	9 months ago	New Grandoreiro Malware Variant Targets Spain
DARKReading	9 months ago	Hola Espana: 'Grandoreiro' Trojan Targets Global Banking Customers
CERT-EU	9 months ago	From Copacabana to Barcelona: The Cross-Continental Threat of Brazilian Banking Malware \| Proofpoint US
MITRE	a year ago	The Tetrade: Brazilian banking malware goes global
CERT-EU	a year ago	Over 90K credentials stolen by Mispadu trojan in LatAm attacks