Skip to main content

Home Guildma


Also known as: Astaroth

Category: Malware

Type: Banking trojan, information stealer

Platform: Windows


Damage potential: Data exfiltration, unauthorized access to accounts, financial loss, identity theft


Guildma, also known as Astaroth, is a banking trojan. It initially targeted users in Brazil, but hackers extended its reach to North America and Europe over time.

Guildma can extract sensitive information from various platforms (such as banking services, online shopping websites, email accounts, and streaming services), take screenshots, and log keystrokes. In addition to its information stealing capabilities, Guildma can download and execute files and emulate keyboard and mouse input.

Guildma attacks are orchestrated via command and control (C&C) servers, so the trojan sends the stolen information to those servers, allowing attackers to make fraudulent transactions.

Possible symptoms

Guildma operates stealthily, so the most obvious signs of infection will be unauthorized access to your accounts or suspicious transactions. More implicit signs are often related to system behavior, such as:

  • Sluggish system performance or frequent crashes.
  • Unexpected restarts.
  • Increased network activity.
  • Changes in browser behavior, like unfamiliar changes in browser settings or pop-ups appearing more often than usual.
  • Disabled keyboard shortcuts (such as Alt + F4, which is used to close pop-ups).

Sources of the infection

Phishing emails with malicious files is the primary source of infection for this trojan. These malicious files might range from fake invoices to delivery information, and they might come in various formats (such as PDF or Microsoft Office documents, executable files, etc).

Additionally, attackers can use peer-to-peer networks, fake software updates, or malvertising to spread Guildma.


Be aware of phishing techniques and keep your software updated to protect yourself online.

  • Do not click on suspicious links or open attachments from unfamiliar senders.
  • Do not download software from unofficial sources and be skeptical of software updates that come as an email or a pop-up.
  • Use NordVPN’s Threat Protection Pro feature to scan downloads for viruses and avoid malicious pop-ups and ads.
  • Install reliable antivirus software and update it regularly.
  • Create strong and unique passwords for your online accounts.
  • Enable MFA (multi-factor authentication) for additional security.


If you think you might have Guildma on your device, act quickly to limit the damage.

  • Disconnect your device from the internet to stop the malware from communicating with its control server.
  • Boot into safe mode.
  • Run a full system scan using a reputable antivirus solution.
  • Change passwords for online services and monitor your accounts for suspicious activity.