AllaKore

AllaKore is a publicly available, open-source Delphi-based remote access trojan (RAT) that has been repeatedly referenced as the upstream codebase or malware family behind multiple Latin America-focused banking trojan variants, including AllaSenha, CarnavalHeist, KL Gorki, and a 2026 variant designated NFe-RAT. Reporting describes AllaKore as frequently leveraged against users in Latin America, especially Brazil, where derived variants are used to steal online banking credentials and 2FA artifacts such as tokens and QR codes. Observed descendant campaigns used multi-stage phishing chains themed around Brazilian electronic invoices (NFS-e / NF-e), including malicious LNK files delivered via Windows search/WebDAV abuse, BAT/PowerShell launchers, embedded Python stages, and in-memory Delphi DLL payloads. Capabilities attributed in the provided content to AllaKore-derived banking variants include remote control, keyboard and mouse interaction, remote desktop functionality, keylogging, screen capture, credential theft through bank-specific overlays, and PIX QR-code fraud; one variant also included a command to terminate AnyDesk. The content also notes AllaKore use outside Latin America: Cisco Talos reported SideCopy heavily relying on Allakore RAT in campaigns targeting Indian government personnel and other entities in India, alongside other RAT families. High-confidence associations in the content therefore link AllaKore both to Brazilian banking malware ecosystems and to SideCopy operations. No standalone AllaKore-specific IOC set is provided beyond its characterization as a publicly available Delphi RAT and its role as the basis for these observed variants.