For several months now, we have been tracking a malware campaign called Guildma. Guildma is powerful combination of a RAT (remote access tool), spyware, password stealer and banker malware, mainly distributed via malicious attachments in phishing emails. The cybercriminals behind Guildma have primarily focused on targeting Brazilian users and services , but since May 2019 they have expanded their range and are now targeting more than 130 banks and 75 other web services around the world. In our analysis, we present the infection process and a detailed description of Guildma’s modules. Due to the time-span covered by this research, we were also able to provide details about the evolution of Guildma.