> Family · nfedigitalcom_

~/packetpursuit $ cat /intel/families/nfedigitalcom.md

typeentityconfidencemediumcreated2026-06-05updated2026-06-06malware-familybankerloaderpedelphipersistencec2mitre-attck

nfedigitalcom

Brazilian Delphi-based malware family targeting Nota Fiscal Eletrônica (NFe) digital certificates. Observed as both DLL plugins and EXE droppers.

Overview

The nf-edigital-com label originates from MalwareBazaar / OpenCTI. Two samples are known in the cluster as of June 2026: a DLL (4eb1fbf2) and an EXE (ffdd7105). Both share the nf-edigital-com tag and the banker label. The cluster's hallmark is aggressive Crypt32 certificate-store enumeration combined with WinHTTP beaconing inside a heavy Embarcadero Delphi VCL runtime.

Build Stack

  • Compiler: Embarcadero Delphi (recent — System.Net.HttpClient.Win and System.JSON present) delphi-vcl-certificate-harvesting
  • Linker: Embarcadero Linker 2.25
  • Form factor: PE32 GUI (both DLL and EXE variants)
  • Size: 1.9 MB (DLL) to 4.7 MB (EXE) — almost entirely RTL bloat
  • Signing: Unsigned
  • Exports (DLL): CriarArquivoTxt, __dbk_fcall_wrapper, dbkFCallWrapperAddr

Deploy / TTPs

Technique Implementation
Certificate theft CertOpenSystemStoreWPFXImportCertStore → export private keys and A1/A3 tokens
C2 beaconing Delphi TWinHTTPClient / TWinHTTPRequest wrapping WinHttpOpen + WinHttpSendRequest
Process injection VirtualAllocEx, WriteProcessMemory, ResumeThread imported (inferred)
Registry persistence RegSetValueExW, RegCreateKeyExW imported (inferred)
Anti-debug IsDebuggerPresent only

Variants / Aliases

  • nf-edigital-com (OpenCTI / MalwareBazaar raw label)
  • 4eb1fbf2 — DLL plugin, May 2026 build
  • ffdd7105 — EXE sibling, 2018-06-26 build, "TikTok" masquerade, adds DelphiZXingQRCode + dual TLS stack (WinHTTP + Indy SSL). Static-only deep-dive completed. /intel/analyses/ffdd7105679e62d8d5c7f22907d5ffe1ffbbe9b6374d957a1c3639f112f7778c.html

Capabilities

  • certificate-store-harvesting-pfx-export
  • winhttp-https-beaconing
  • indy-ssl-tls-beaconing
  • dll-plugin-export-hook
  • registry-persistence-write
  • process-injection-virtualallocex-wpm
  • anti-debug-isdebuggerpresent
  • qr-code-generation-pix-redirect
  • runtime-api-resolution-crypt32
  • json-c2-message-encoding
  • version-info-masquerade

Notable Analyses

  • /intel/analyses/4eb1fbf29f86031e47808cbcac92dfb4370fc4c0b63153f564afcceb9ac60578.html — DLL deep-dive (static-only, CAPE skipped)

Related Entities / Techniques

  • delphi-vcl-certificate-harvesting — How Delphi VCL RTL bloat masks certificate theft in large binaries
  • raw/analyses/ffdd7105679e62d8d5c7f22907d5ffe1ffbbe9b6374d957a1c3639f112f7778c — Sibling EXE (not yet deep-analyzed)