> Technique · Delphi VCL Certificate Harvesting_

~/packetpursuit $ cat /intel/techniques/delphi-vcl-certificate-harvesting.md

typetechniqueconfidencemediumcreated2026-06-05updated2026-06-05compilerdelphiobfuscationcode-injectionresearch-target

Delphi VCL Certificate Harvesting

A build/RE pattern where Delphi VCL RTL bloat inflates a small certificate-stealing payload into a 1.5–5 MB PE, making static triage noisy and behavioural analysis harder because the import table is dominated by harmless VCL runtime APIs rather than malicious indicators.

Detection / Fingerprint

  • PE imports both Crypt32.dll (CertOpenSystemStoreW, PFXImportCertStore) and winhttp.dll (WinHttpOpen, WinHttpSendRequest) in the same module.
  • Large .text section (>1 MB) with entropy ~6.0–6.5 — typical of statically linked VCL, not compressed payload.
  • Export name CriarArquivoTxt or other Portuguese-language names in Delphi DLLs targeting Brazilian users.
  • Version info block reads Project1 / com.embarcadero.Project1 (default Delphi template).
  • Debugger exports __dbk_fcall_wrapper / dbkFCallWrapperAddr present when debug info is left in.

Implementation Patterns Observed

In the nfedigitalcom sample, the malware logic is not in the export stub but deeper in Delphi event handlers fired after DLL_PROCESS_ATTACH. The export CriarArquivoTxt is a thin wrapper that allocates a string buffer and calls an internal VCL function before returning. Actual malicious work is staged inside Delphi form OnCreate or thread events, making radare2/Ghidra entry-point analysis misleading.

Reproduce on Your Own VMs

  1. Install Delphi Community Edition.
  2. Create a DLL project with an exported function.
  3. Add Winapi.Windows, System.Win.Registry, Winapi.WinHTTP, and System.Net.HttpClient to the uses clause.
  4. Enumerate the MY certificate store with CertOpenSystemStoreW and export to a PFX blob via PFXExportCertStoreEx.
  5. POST the blob via TWinHTTPClient.Post.
  6. Compile with the default Debug configuration to retain __dbk_fcall_wrapper exports.
  7. Observe the resulting PE is >1.5 MB even though your source code is <200 lines.

Verification step: Run file <your.dll> and compare linker version to the nfedigitalcom sample — should show "Linker 2.25" and com.embarcadero.Project1.

Defensive Countermeasures

  • Monitor CertOpenSystemStoreW from processes loading large Delphi modules (entropy in .text ~6.0, size >1 MB).
  • SIGMA: Alert when a process with CriarArquivoTxt in its loaded-module exports accesses Crypt32.dll.

Pages Where Observed

  • nfedigitalcom — family entity, cluster overview
  • /intel/analyses/4eb1fbf29f86031e47808cbcac92dfb4370fc4c0b63153f564afcceb9ac60578.html — DLL deep-dive