Delf

Category: trojan_generic · Aliases: Trojan.Delf, Win32/Delf, Malware.Delphi · Sample count (EMBER 2018): 1,727 · Enrichment: documented_reference_only · Updated: 2026-07-02T07:47:42Z

Overview

Executive Summary

Delf (often detected as Trojan.Delf) is a broad, generic classification used by antivirus engines to categorize a massive family of Trojans written in the Delphi programming language (specifically Borland Delphi). Because Delphi was highly popular among malware authors in the 2000s and early 2010s for its ease of creating Windows GUI applications and standalone executables, thousands of distinct malware variants fall under this generic "Delf" umbrella, ranging from simple password stealers to complex banking trojans.

Infection Vector and Technical Capabilities

Due to the generic nature of the detection, the infection vectors are extremely varied. Delf variants are commonly distributed via malicious email attachments, P2P networks (disguised as keygens), or dropped by exploit kits. While specific capabilities vary by variant, Delf Trojans generally exhibit common malicious behaviors:

Threat Assessment

A Trojan.Delf detection must be treated with high severity. While it is an older classification, the underlying malware is designed to compromise the system, steal data, or provide remote access. The exact severity depends entirely on the specific, unclassified variant that has infected the machine.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1547.001 T1555 T1562.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_DELF {
    meta:
        description = "Detects Delf (trojan_generic)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "delf" ascii wide nocase
        $s2 = "trojan.delf" ascii wide nocase
        $s3 = "win32/delf" ascii wide nocase
        $s4 = "malware.delphi" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Delf Activity
id: 120b8aedc543e0e3c649f6ba08e01a2a
status: experimental
description: Detects generic indicators of the delf malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*delf*"
            - "*trojan.delf*"
            - "*win32/delf*"
            - "*malware.delphi*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about delf?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: trojan_generic)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/delf.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.