S0530: Melcoz
Analyst context for executives and security teams
Melcoz matters because it combines user-driven entry, Windows execution, browser and credential collection, and data-manipulation behaviors associated with a banking trojan. For leaders, the key issue is not just malware blocking; it is whether phishing, browser credential exposure, clipboard capture, and transaction/session integrity can be detected and investigated quickly enough to protect business and financial processes.
Executive priority
Prioritize Melcoz as a validation case for Windows endpoint resilience, phishing-link controls, browser credential risk, and incident response readiness around financial or web-based workflows. The ATT&CK relationships point to behaviors that can undermine authentication evidence and transaction integrity, so executives should ask whether SOC telemetry, identity controls, and response playbooks can distinguish normal installer/script activity from suspicious msiexec, Visual Basic, AutoIT/AutoHotKey, DLL, and browser-session abuse.
Technical view
ATT&CK lists Melcoz as Windows malware and relates it to spearphishing links, malicious-link execution, Visual Basic, AutoIT/AutoHotKey, msiexec proxy execution, DLL abuse, software packing, ingress tool transfer, clipboard data collection, browser session hijacking, browser credential access, and transmitted data manipulation. SOC and IR teams should validate visibility across the full chain: email/link events, process creation, script interpreter use, Windows Installer activity, DLL load behavior, file transfer from external systems, browser credential-store access patterns, clipboard access where available, and network/session anomalies tied to web activity.
Likely telemetry
- Email security and URL click telemetry for spearphishing or malicious links
- Windows endpoint process creation and command-line logs
- Script execution telemetry for Visual Basic, AutoIT, and AutoHotKey-related activity
- Windows Installer/msiexec execution events, including local or network-accessible MSI usage
- DLL load, side-loading, or search-order related endpoint telemetry
Detection direction
- Map detections to the related ATT&CK techniques rather than relying on a Melcoz name or signature alone, since the official object provides no detection guidance.
- Tune for suspicious combinations: phishing-link click followed by script execution, msiexec launch, DLL activity, external file transfer, and browser credential or session access.
- Review false positives from legitimate automation, software installation, administrative scripting, and normal browser behavior before escalating to high-severity alerts.
- Validate whether packed executables reduce static-signature effectiveness and whether endpoint controls still produce behavioral evidence after unpacking in memory.
- Use relationship-driven context to build investigation pivots across execution, stealth, credential access, collection, command-and-control, and impact-related behaviors.
Mitigation priorities
- Start with reducing malicious-link execution risk through email and web filtering controls, user reporting processes, and response workflows for clicked links.
- Harden Windows execution paths by governing script interpreters, msiexec usage, DLL loading behavior, and unauthorized automation tooling where operationally feasible.
- Reduce browser credential exposure by reviewing browser password storage practices and strengthening identity controls around high-risk web applications.
- Ensure endpoint and network telemetry retention supports investigation of downloaded tools, process chains, browser access, and suspected data manipulation.
- Prepare IR playbooks for banking-trojan-like activity that include credential reset decisions, browser/session review, endpoint containment, and integrity checks on affected transactions or workflows.
Analyst notes and limits
The most useful defensive framing comes from the relationship set: Melcoz is not only a malware family label, but a cluster of behaviors spanning initial access, execution, stealth, credential access, collection, command-and-control, and impact. The official description identifies it as a banking trojan family built from Remote Access PC and observed in Brazil, Chile, Mexico, Spain, and Portugal, but local risk should be based on whether the organization has exposed Windows users, web-based financial processes, and sufficient telemetry to investigate these behaviors.
The supplied ATT&CK object provides no official detection text, no explicit tactics on the malware object itself, and only Windows as the platform for Melcoz. Geographic observations and the banking-trojan description come from the supplied official description and reference, but they do not establish current activity, attribution, or exposure for any specific organization. Detection and mitigation decisions require local telemetry, asset, identity, and business-process context.
Melcoz
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1565.002 | Transmitted Data Manipulation Sub-technique | Melcoz can monitor the clipboard for cryptocurrency addresses and change the intended address to one controlled by the adversary.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1059.010 | AutoHotKey & AutoIT Sub-technique | Melcoz has been distributed through an AutoIt loader script.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1218.007 | Msiexec Sub-technique | Melcoz can use MSI files with embedded VBScript for execution.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1185 | Browser Session Hijacking | Melcoz can monitor the victim's browser for online banking sessions and display an overlay window to manipulate the session in the background.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Melcoz has the ability to download additional files to a compromised host.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | Melcoz can use DLL hijacking to bypass security controls.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Melcoz has the ability to steal credentials from web browsers.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Melcoz can use VBS scripts to execute malicious DLLs.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Melcoz has been packed with VMProtect and Themida.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1115 | Clipboard Data | Melcoz can monitor content saved to the clipboard.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Melcoz has gained execution through victims opening malicious links.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Melcoz has been spread through malicious links embedded in e-mails.CitationSecurelist Brazilian Banking Malware July 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 73049871632b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Securelist Brazilian Banking Malware July 2020
GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
Open source URL -
[2]
mitre-attack S0530Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.