The Guildma malware’s activity was first spotted back in 2015. This threat is a spyware toolkit, which is very well crafted. At first, the authors of the Guildma toolkit concentrated their operations in Brazil only. However, at some point, the creators of the Guildma malware decided to launch more ambitious campaigns going after targets worldwide. The threat was programmed to only function with Brazilian banking institutions, but ever since its creators decided to expand their reach, and 130 more banking portals worldwide were added to the Guildma malware’s target list.

Propagation Method

The Guildma threat appears to be distributed via spearphishing campaigns mostly. The attackers would use a PHP script to automate the distribution of mass spam emails to a long list of email addresses. The authors of the Guildma malware seem to be using either hijacked or rented servers from which they propagate the spam emails. The messages in the emails are crafted carefully to convince the user to open the attached corrupted file. To make the emails seem more legitimate and trick the user into thinking that the attachment is an important document, which they need to review, the attackers would often mask them as information about a job opportunity, a tax-related report, a government paper, etc. A report issued by a popular cybersecurity company states that in 2019 alone, the Guildma malware has tried to infiltrate over 150,000 users globally.


The Guildma malware can serve as a RAT (Remote Access Trojan), an infostealer, a spyware tool and a banking Trojan. This goes to show how flexible the Guildma malware is and how threatening it can be. When the Guildma malware compromises a host successfully, its activity can be triggered by various factors. This threat will monitor the user’s activity and would act accordingly. For example, the Guildma threat will keep an eye to detect if the victim tries to access a banking portal, which is on the target list of this malware. However, the Guildma malware does not target finance-related services only. This nasty threat looks for any information it can get and makes sure to use a variety of ways to collect it – collecting login credentials, gathering data from autofill forms, and even taking screencaps of the desktop and opened tabs. The Guildma malware also targets Netflix, Amazon, Facebook, and other popular services, and attempts to collect the login credentials of the victim. One method that the Guildma malware utilizes is closing the Web browser tab of the users so that the victims will have to open it again and put in their login credentials once more, which allows the attackers to collect them. This threat also keeps an eye out for FTP clients, as well as mail clients. Since the Guildma malware also can serve as a RAT, it can allow the attackers to plant additional malware on the compromised host, which further weaponizes this threat.

The authors of the Guildma malware keep upgrading this hacking tool and making it even more powerful. This malware is now a treat to users worldwide, and you should be very wary of suspicious emails from unknown sources. Furthermore, make sure you keep all your applications up to date and look into obtaining an anti-virus solution that will keep your system secure.

Related Posts


Most Viewed