NFe-RAT: Inside a Live Brazilian Banking Trojan Operation Targeting 11 Financial Institutions
Published: 2026-03-08 | Author: Breakglass Intelligence | Tags: banking trojan, Brazil, AllaSenha, CarnavalHeist, RAT, threat intelligence
TL;DR
We obtained root access to the C2 relay infrastructure of an active Brazilian banking RAT and monitored live victim connections across five Brazilian states over a 5+ hour window. The malware -- which we designate NFe-RAT -- is a confirmed evolution of the AllaSenha/CarnavalHeist family, delivering a Delphi-compiled banking trojan via a six-stage attack chain that culminates in fileless reflective DLL injection. The RAT targets 11+ Brazilian financial institutions with bank-specific credential overlay modules, and one confirmed victim was a healthcare facility running exposed DICOM medical imaging infrastructure.
A Medical Facility Among the Victims
The most alarming finding from this investigation is not the malware itself but who it has already compromised. During live monitoring of the C2 relay, we observed 7 unique victim IPs beaconing to the threat actor's infrastructure. The most active victim -- responsible for over 80 connections in 30 minutes -- was IP 177.154.164.194 in Vila Velha, Espirito Santo. Shodan records for this host reveal an open DICOM port (11112), the standard protocol for medical imaging systems. This host likely belongs to a healthcare facility, meaning the NFe-RAT infection creates a dual-risk scenario: banking credential theft via the RAT's overlay modules, and potential exposure of patient medical imaging data under Brazil's LGPD data protection law.
All seven victims are residential broadband subscribers across five Brazilian states (Espirito Santo, Ceara, Paraiba, Minas Gerais, and Rio de Janeiro). None appeared in any public threat intelligence feeds prior to this report -- all are freshly compromised endpoints.
Attribution: AllaSenha Evolves
NFe-RAT is not a novel malware family. It is a confirmed direct descendant of AllaSenha (documented by HarfangLab in 2024) and CarnavalHeist (documented by Cisco Talos in 2024). The evidence is not circumstantial -- it is structural:
| Attribute | AllaSenha (2024) | NFe-RAT (2026) | Match |
|---|---|---|---|
| Internal DLL name | Access_PC_Client_dll.dll | Access_PC_Client_dll.dll | Exact |
| Loader DLL name | executor.dll | executor.dll | Exact |
| Infection chain | Python + PythonMemoryModule + DLL | Python + PythonMemoryModule + DLL | Exact |
| Payload format | Pickle5 serialized dict | Pickle5 protocol 4 dict | Exact |
| C2 beacon | pyCodeV10 - *NEWW* {host}|{ver}|{proc} | pyCodeV1 - {host}|{ver}|{priv} | Protocol family |
| Command delimiters | <|COMMAND|> | <|COMMAND|> | Exact |
| Compiler | Delphi XE5 / 10.4 | Delphi XE5 | Match |
| C2 hosting | Azure BrazilSouth | Azure BrazilSouth | Exact |
| Build path user | bert1m | xxb3xx (machine user: maria) | Different operator |
The different operator username and DGA mechanism (Dynu DDNS vs. Azure subdomains) point to either a Malware-as-a-Service model or source code sharing within the Brazilian cybercrime ecosystem. The build path C:\Users\maria\Desktop\Driver\Trampo 2025\kl Delphi\ -- where "Trampo" is Portuguese slang for "hustle" -- confirms a sustained criminal operation. None of the file hashes appear in any public threat intelligence database.
The Six-Stage Attack Chain
NFe-RAT reaches victim machines through a carefully engineered multi-stage delivery pipeline, each stage designed to evade a different layer of defense.
Stage 0: Phishing Page
The campaign impersonates Brazil's Nota Fiscal Eletronica (NF-e) electronic tax invoice system via nfe-pdf[.]shop (registered 2026-02-28, Cloudflare-proxied). The Portuguese-language page branded "Portal de Documentos" implements OS gating (Windows-only), browser gating (blocks Firefox -- search-ms: requires Chromium), anti-bot checks (mouse movement >3px with isTrusted verification), and click tracking via contar-acesso.php and cliques.php.
Stage 1: search-ms: Protocol Abuse (T1204.001)
Clicking "Visualizar Nota Fiscal" invokes search-ms: to open a WebDAV share over HTTPS (@SSL), disguised as the user's "Downloads" folder using CLSID {2227A280-3AEA-1069-A2DE-08002B30309D}. The victim sees what appears to be a PDF.
Stage 2: Weaponized .lnk (T1204.002)
The .lnk file (NF410296447634.pdf.lnk) uses the Edge icon and pads its target field with 45+ digits of numeric noise to hide the real command in Properties dialogs. The actual payload fetches a .bat downloader from the sister domain notas-pdf[.]shop via WebDAV. The .lnk leaks an attacker machine SID: S-1-5-21-2526624856-4161533469-3970102354-1001.
Stage 3: Batch Downloader (T1059.003)
The .bat creates a decoy PDF ("Documento Fiscal") for social engineering, derives a unique machine ID (NM) from the computer name via base64, downloads the official Python 3.12.5 embedded (32-bit) from python.org, renames pythonw.exe to {NM}.exe for process camouflage, and executes an embedded base64 Python stager.
Stage 4: Python Stager with DGA (T1059.006, T1568.002)
The stager implements a date-seeded Domain Generation Algorithm producing three .ddnsfree.com domains per day, plus a port generation algorithm producing ten ports per day -- creating 30 possible (domain, port) connection targets selected at random each attempt.
DGA domain algorithm (simplified):
di = day_of_month + weekday
char = 'rstuvxzwkyjlmnopqabcghjlabcdefghijlmnopq'[di]
# SHA1 hash seeded with date components, repeated 10x, truncated to 48 chars
domain = f"{truncated_hash}.ddnsfree.com"
Port algorithm:
ports = [int(str(int(DDMMYYYY * x))[:4]) for x in range(60, 100, 4)]
The stager includes a Broadwell CPU sandbox check (T1497.001) -- if the processor name contains "Broadwell", execution halts, as this string is common in cloud VM processor descriptions.
Upon connecting, the stager sends the beacon pyCodeV1 - {hostname} | {os_version} | {cpu_name} and receives a 4.8MB pickle payload via raw TCP.
Stage 5: CodePy Loader (T1547.001, T1620)
The pickle payload (protocol 4) contains three keys:
| Key | Content | Size |
|---|---|---|
CodePy | Python loader script | 4,508 bytes |
file | Password-protected ZIP (executor.dll) | ~2.5 MB |
file2 | Password-protected ZIP (PythonForWindows framework) | ~2.9 MB |
ZIP password: Snh2301**Snh2301**
The CodePy loader establishes persistence by double-base64 encoding the stager into {NM}.txt and creating a registry Run key at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{NM_reversed}. It then extracts the PythonForWindows toolkit and uses pmm.MemoryModule for reflective DLL injection of the final payload.
Stage 6: executor.dll -- The Banking RAT (T1055, T1056.001)
The final payload is a 2.6MB Delphi-compiled DLL (Access_PC_Client_dll.dll) loaded entirely in memory -- no PE is written to disk (T1620). The specimen analyzed was compiled on 2026-03-03 at 12:26:48 UTC, just hours before our investigation began.
The loader spawns 50 threads attempting DLL injection with 60-second timeouts and 2-second delays between attempts, a brute-force approach to ensure the RAT loads despite potential race conditions.
RAT Capabilities: Full Banking Fraud Toolkit
The executor.dll command protocol uses <|COMMAND|> delimiters over TCP. Analysis of the DLL's strings reveals a comprehensive remote access and banking fraud toolkit.
Bank-Specific Credential Overlays
Beyond standard remote desktop, mouse/keyboard control, and screen capture capabilities, the RAT's primary purpose is bank-specific credential theft.
The RAT contains dedicated overlay modules targeting 11+ Brazilian financial institutions. These are not generic phishing forms -- each module is tailored to the specific bank's authentication flow:
| Target Institution | Commands | Credential Types |
|---|---|---|
| Banco do Brasil | BB-PASS6, BB-PASS8, BB-PROCURADOR, BB-AMARELO, BB-AZUL | 6/8-digit passwords, proxy auth, yellow/blue token |
| Itau | ITAU-SNH-ENTRADA, ITAU-SNH-CARTAO, ITAU-TK-CHAVEIRO, ITAU-TK-SMS, ITAU-TK-APP | Entry password, card password, keychain/SMS/app tokens |
| Bradesco | ASS-BLUE, ASS-BLUE-PJ | Digital signature (personal and business) |
| Santander | ASS-SANTA, STN-6DG | Signature, 6-digit code |
| Banco Safra | SAFRA-DADOS | Full credentials |
| Sicredi | SICREDI-TOKEN-CELULAR, SICREDI-TOKEN-CHAVEIRO | Mobile/keychain tokens |
| Sicoob | SICOOB-SNH6 | 6-digit password |
| Unicred | UNICRED-ASS, UNICRED-TKN | Signature, token |
| Banrisul | DESCO-TKCHAVEIRO, DESCO-TKAPP, DESCO-PISCA | Keychain/app/blinking tokens |
| PIX (all banks) | QRCODE, QR-CONFIRMADO | QR code capture for instant payments |
The command <|FECHAR-ANYDESK|> (Kill AnyDesk) is a notable anti-remote-support mechanism -- it prevents IT staff from remotely connecting to investigate while the operator controls the machine.
Infrastructure: Disposable Relay Architecture
The threat actor operates behind residential CGNAT in Uberlandia, Minas Gerais (ALGAR TELECOM, AS16735), with zero internet-facing attack surface. All victim traffic routes through a disposable Azure VM (Standard_D2s_v3, Brazil South) functioning as a pure SSH reverse tunnel relay -- no C2 software touches the relay disk.
The VM was provisioned the same day (09:24 UTC) and configured via scripted setup in under 10 seconds: enable PermitRootLogin, enable GatewayPorts, set root password. No iptables rules, no SSH keys, no bash history, no software beyond base Ubuntu 24.04. The C2 application runs on port 22447 on the attacker's machine (identified via sshd heap memory analysis), forwarding through 10 daily-rotating DGA ports.
Threat Actor Profile
| Field | Value |
|---|---|
| Username | xxb3xx |
| Real IP | 189.37.69.81 |
| Location | Uberlandia, Minas Gerais, Brazil |
| ISP | ALGAR TELECOM S/A (AS16735) |
| Connection | Residential broadband, behind CGNAT |
| Build machine user | maria |
| Dev environment | Delphi XE5, x86 target |
| Password (reused everywhere) | Snh2301**Snh2301** (Azure root, user account, both ZIP payloads) |
| OPSEC | Poor -- no VPN, build path in binary, full credential reuse |
During our 5+ hour monitoring window, the operator reconnected three times at ~90-minute intervals, demonstrating sustained operational tempo.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique | NFe-RAT Implementation |
|---|---|---|---|
| Initial Access | T1566.002 | Spearphishing Link | NF-e tax invoice phishing page |
| Execution | T1204.001 | Malicious Link | search-ms: protocol handler abuse |
| Execution | T1059.003 | Windows Command Shell | .bat downloader with certutil |
| Execution | T1059.006 | Python | Stager, CodePy loader, pickle exec() |
| Persistence | T1547.001 | Registry Run Key | HKCU\...\Run\{NM_reversed} |
| Defense Evasion | T1620 | Reflective Code Loading | PythonMemoryModule (pmm) |
| Defense Evasion | T1055.001 | DLL Injection | CreateRemoteThread + VirtualAllocEx |
| Defense Evasion | T1036.005 | Match Legitimate Name | pythonw.exe renamed to {NM}.exe |
| Defense Evasion | T1027.002 | Software Packing | Double-base64, pickle serialization, UPX |
| Defense Evasion | T1564.001 | Hidden Files | %PROGRAMDATA%{NM}\ set hidden |
| Defense Evasion | T1497.001 | Sandbox Evasion | "Broadwell" CPU string check |
| Discovery | T1082 | System Information Discovery | Registry fingerprinting (CPU, OS) |
| Credential Access | T1056.001 | Keylogging | PUXAR-TECLAS/TECLAS commands |
| Credential Access | T1555.003 | Credentials from Web Browsers | Bank-specific overlay attacks |
| Collection | T1113 | Screen Capture | Desktop/VIDEO/RENDERIZAR commands |
| C2 | T1568.002 | Domain Generation Algorithm | Date-seeded SHA1, *.ddnsfree.com |
| C2 | T1571 | Non-Standard Port | 10 daily rotating ports |
| C2 | T1572 | Protocol Tunneling | SSH reverse tunnel relay |
| Impact | T1529 | System Shutdown/Reboot | cmd /c shutdown -s -t 0 |
Defensive Recommendations
Network Detection
- Block DGA pattern: Alert on DNS queries matching
[a-f0-9]{40,}.ddnsfree.com. The NFe-RAT DGA produces 48-character hex strings as subdomains ofddnsfree.com. - Block search-ms: over WebDAV: Monitor for outbound WebDAV connections triggered by
search-ms:protocol handler invocations containing@SSLin the URL. Consider disabling thesearch-ms:URI handler via Group Policy for users who do not require it. - Monitor Python embedded downloads: Alert on downloads of
python.org/ftp/python/*/python-*-embed-win32.zipfrom workstation subnets, particularly when followed by process execution from%PROGRAMDATA%. - Pickle payload detection: The C2 payload begins with
\x80\x04\x95(pickle protocol 4 header). IDS rules matching this byte sequence on non-standard ports can catch payload delivery.
Endpoint Detection
- Registry persistence: Monitor creation of Run keys where the value name is a reversed base64 string pointing to an executable in
%PROGRAMDATA%paired with a.txtargument file. - Process lineage: Alert on
pythonw.exe(or renamed copies) executing from%PROGRAMDATA%\{random}\directories, especially when the parent process iscmd.exelaunched from a.lnkfile. - File artifacts: The decoy file
%USERPROFILE%\downloads\NotaFiscal.pdfcontaining only the text "Documento Fiscal" is a strong indicator. - DLL reflective loading: Monitor for
pmm.MemoryModuleimports and in-memory DLL loading without corresponding disk writes.
Organizational Controls
- Disable search-ms: handler on endpoints that do not require it.
- Block Dynu DDNS (
*.ddnsfree.com,*.dynu.com) at the DNS resolver level. - Educate Brazilian operations staff about NF-e phishing -- the lure targets a routine business document that every Brazilian company handles.
- Deploy Snort/Suricata rules for the beacon string
pyCodeV1combined with*NEWW*on any TCP port.
Indicators of Compromise
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| IP | 20.195.216.43 | C2 relay (Azure Brazil South) |
| IP | 189.37.69.81 | Threat actor real IP (ALGAR TELECOM, Uberlandia MG) |
| Domain | nfe-pdf[.]shop | Primary phishing domain |
| Domain | notas-pdf[.]shop | Sister phishing domain |
| Domain | nfe-informativo[.]com | Backup C2 domain (currently parked) |
| DGA | *.ddnsfree.com | C2 DGA domains (48-char hex subdomain) |
| Port | 22447 | C2 application port on attacker machine |
| URL | hxxps://nfe-pdf[.]shop/nota-eletronica-emitida/ | Phishing landing page |
| URL | hxxps://nfe-pdf[.]shop/NotaFiscal/ | WebDAV .lnk delivery |
| URL | hxxps://notas-pdf[.]shop/dv/ | WebDAV .bat delivery |
File Indicators
| Indicator | Type | Description |
|---|---|---|
de68f6917d949e086819e69609a8d028747522ae175b16022db84baeffef367d | SHA256 | executor.dll (extracted RAT DLL) |
474477f18defcd63f6b5ac45a534fcf4 | MD5 | executor.dll |
701278d1e19b753f81d42c604e454d1b5c9dd2cf822f2e223ab9f6b10e755ee8 | SHA256 | Embedded PE (UPX-packed inner DLL) |
1211ecd49405c6069ddad78cd393339b527fac58803ba2bf0d57205cc994746d | SHA256 | Embedded PE (unpacked banking RAT core) |
e968533a5de9695c043cf3261dc24f0151b8fc00b64e5ed9f93ece6306305cc2 | SHA256 | NF410296447634.pdf.lnk |
7846c3b77177481b6cfbb450f14552d77c60c23faf2546a49445b9ba68559cff | SHA256 | C2 pickle payload |
7b673e3f3b0390f8d21fc7b8e4f8e8814b34292d561f2b1c14e28003e5907066 | SHA256 | executor.dll ZIP (compressed) |
935d0a854d8f55b5a96bca0bb40ed9b0c0527dec5199e9b47a5d78dc82a8e2fd | SHA256 | PythonForWindows ZIP (file2) |
Host Artifacts
| Indicator | Type | Description |
|---|---|---|
%PROGRAMDATA%\{NM}\{NM}.exe | File | Renamed pythonw.exe 3.12.5 (x86) |
%PROGRAMDATA%\{NM}\{NM}.txt | File | Double-base64 encoded stager |
%PROGRAMDATA%\{NM}\pmm\ | Directory | PythonMemoryModule framework |
%USERPROFILE%\downloads\NotaFiscal.pdf | File | Decoy document ("Documento Fiscal") |
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{NM_reversed} | Registry | Persistence key |
Access_PC_Client_dll.dll | String | Internal DLL name (in-memory only) |
S-1-5-21-2526624856-4161533469-3970102354-1001 | SID | Attacker build machine SID in .lnk |
Behavioral Signatures
| Indicator | Description |
|---|---|
pyCodeV1 - *NEWW* | C2 beacon prefix on TCP |
Snh2301**Snh2301** | ZIP password / credential (all systems) |
Broadwell CPU check | Sandbox evasion string |
<|PRINCIPAL|>, <|SENHA|> | RAT command protocol delimiters |
Conclusion
NFe-RAT represents the ongoing evolution of Brazil's most prolific banking trojan lineage. While the underlying code traces back through AllaSenha, CarnavalHeist, KL Gorki, and ultimately the open-source AllaKore RAT, the 2026 variant demonstrates continued active development: same-day compilation, a DGA mechanism not seen in prior variants, and an expanded target list now covering 11+ financial institutions including PIX QR code capture.
The operator's OPSEC is poor -- password reuse across every system, no VPN, build paths leaked in binaries, and an Azure subscription traceable through Microsoft's records. But the malware architecture is pragmatic and effective: a six-stage delivery chain with anti-analysis at every stage, fileless final execution via reflective DLL injection, and disposable relay infrastructure that can be burned and rebuilt in under 10 minutes.
The different operator identifiers between AllaSenha ("bert1m") and NFe-RAT ("xxb3xx") suggest this malware has moved beyond a single developer. Whether through a Malware-as-a-Service model, source code sales, or a broader affiliate program, the AllaSenha/KL Gorki builder toolkit is now in the hands of multiple operators -- and none of the current campaign's IOCs were present in any public threat intelligence database at the time of this investigation.
For Brazilian financial institutions and their customers, the threat is immediate and ongoing. The C2 infrastructure was fully operational during the entire investigation, and the threat actor demonstrated sustained operational tempo with tunnel reconnections every 90 minutes. The compromise of a healthcare facility with exposed DICOM infrastructure underscores that the blast radius of these campaigns extends well beyond banking fraud.
Investigation conducted 2026-03-03. C2 relay monitored with root access for 5+ hours. All IOCs were live at time of analysis. This report contains the first public documentation of these samples.
References: HarfangLab -- AllaSenha | Cisco Talos -- CarnavalHeist | Malpedia -- AllaSenha