TrojanDownloader:Win32/Shylock is an incredibly sophisticated, highly targeted banking trojan, notorious for its advanced 'Man-in-the-Browser' (MitB) capabilities and its innovative use of Domain Generation Algorithms (DGAs) combined with Skype for command and control resilience.
Understanding Shylock
To the victim, Shylock is entirely invisible until their bank account is drained. For a security analyst, Shylock (named after the Shakespearean character, due to its early code containing references to 'The Merchant of Venice') is a tier-one financial threat. It does not simply steal passwords; it actively modifies the victim's online banking session in real-time. It intercepts 2FA codes, alters transaction amounts dynamically, and hides the fraudulent transfers from the user's statement view.
Execution, Web Injects, and Mitigation Evasion
Shylock is typically distributed via drive-by downloads (`T1189`). Upon execution, it establishes persistence and immediately injects its core DLLs into `explorer.exe` (`T1055.001`). From there, it hooks the APIs of all running web browsers (Chrome, Firefox, IE) (`T1185`). When the user navigates to a targeted banking portal, Shylock's C2 server downloads a specific 'web inject' configuration. This allows Shylock to inject malicious HTML/JavaScript directly into the legitimate banking page (`T1111`), creating fake login forms or 2FA prompts that steal data directly from the DOM before it is encrypted by SSL/TLS.
Indicators of Compromise & Impact
The impact is massive financial fraud that bypasses standard 2FA mechanisms. Network logs will reveal anomalous DGA-based DNS requests (`T1568.002`). EDR platforms must alert on the injection of DLLs into `explorer.exe` or browser processes. A highly specific IoC for Shylock is the creation of a hidden partition or the abuse of Alternate Data Streams (ADS) to store its encrypted Virtual File System (VFS) to evade forensic detection.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1185 | Man-in-the-Browser | Collection |
T1111 | Two-Factor Authentication Interception | Credential Access |
T1568.002 | Dynamic Resolution: Domain Generation Algorithms | Command and Control |
T1055.001 | Process Injection: Dynamic-link Library Injection | Defense Evasion |
T1564.004 | Hide Artifacts: NTFS File Attributes | Defense Evasion |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_SHYLOCK {
meta:
description = "Detects Shylock (banking_trojan)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "shylock" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Shylock Activity
id: e088c8fa68dfc3bc98f9e9a06f2c3b14
status: experimental
description: Detects generic indicators of the shylock malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*shylock*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/shylock.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.