Trojan.Bredolab is a threat that has been distributed widely and consistently this year. This research paper takes a closer look at the Trojan to discover how it works, why it’s so widespread, and the motivations behind it. In short, Bredolab is distributed by spam emails and drive-by-download attacks. (In fact, last month we blogged about a wave of spam emails used to distribute it.) Once it’s on a computer, Bredolab downloads and installs a variety of other threats. This process is outlined in the following diagram. We have seen Bredolab downloading password stealers, bots, rootkits, backdoors, and misleading applications. Some of the well-known threats that Trojan.Bredolab has been observed downloading are shown in the following table. In this paper the different attack vectors and social engineering techniques that Bredolab uses to install itself are outlined. The encrypted communication that it uses is analyzed and the protections it incorporates to deter analysis are also exposed. For full information about the threat, how it operates, and what its motivations are be sure to check out the research paper.