Grandoreiro and BTMOB Malware Campaigns Accelerate Threats to Financial Institutions in Europe and Latin America

Recent cybersecurity analyses indicate that two prominent banking trojan campaigns, Grandoreiro and BTMOB, are actively targeting financial institutions across Europe and Latin America. These campaigns focus on compromising Windows and Android devices, representing significant risks to both corporate and individual users in countries including Spain, Portugal, Mexico, and Brazil.

Overview of the Threat Landscape

Cybersecurity firms WatchGuard and ESET have reported that the Grandoreiro malware campaign employs advanced techniques to infiltrate banking systems, particularly in Portugal. This malware utilizes DLL side-loading, a method that exploits vulnerabilities in legitimate software to execute harmful code. Since its inception in 2016, Grandoreiro has evolved to target thousands of financial institutions across 45 countries.

Phishing emails serve as the primary distribution method for Grandoreiro, often leading recipients to click on malicious links that initiate the malware installation process. Despite ongoing law enforcement efforts in Brazil aimed at dismantling its infrastructure, Grandoreiro has shown resilience, adapting its tactics and integrating CAPTCHA checks to evade detection.

Technical Insights into Grandoreiro

The latest version of the Grandoreiro malware has been identified as using DLL side-loading to execute DLLs developed in Delphi 11, a programming language often associated with malware in this region. Two notable DLLs—mingwm10.dll and libwebp.dll—incorporate sgcWebSockets, a library that facilitates real-time communication and peer-to-peer interactions.

Researchers from WatchGuard explain that these DLLs utilize the Session Traversal Utilities for NAT (STUN) protocol, which assists devices behind a NAT in discovering their public IP addresses. This capability allows the malware to maintain communication channels that are difficult to monitor, particularly by blending in with legitimate web conferencing traffic.

Additionally, the campaign employs libffi-6.dll and libpng15.dll, which utilize the Interactive Connectivity Establishment (ICE) protocol. These files specifically target banks and financial institutions in Portugal, including Abanca, Banco de Portugal, BBVA PT, Caixa Geral de Depósitos, and Santander, as well as international services like Revolut and Wise.

BTMOB: A New Threat on Android Devices

In parallel, ESET has reported on BTMOB, an Android remote access trojan (RAT) that emerged in February 2025. This malware is capable of unlocking devices, capturing screenshots, logging keystrokes, and automating credential theft through HTML injections when specific applications are opened. A more recent version has added functionality to capture Alipay PINs, further expanding its capabilities.

BTMOB is marketed with an APK builder interface, allowing users to generate new payloads and customize phishing lures without any coding knowledge. This user-friendly approach significantly lowers the barrier to entry for less sophisticated threat actors, enabling rapid deployment of malicious campaigns.

BTMOB primarily spreads through social engineering tactics, directing users to counterfeit websites that mimic legitimate streaming services or cryptocurrency platforms. Victims are misled into downloading an APK file that contains the malware. Once installed, BTMOB requests permissions to utilize Android’s accessibility services, thereby gaining additional system access without user intervention.

The Evolution of Malware-as-a-Service

BTMOB operates under a malware-as-a-service (MaaS) model, which has broader implications for the cybersecurity landscape. This model allows even novice cybercriminals to launch sophisticated attacks with minimal technical expertise. Reports indicate that leaked versions of BTMOB are circulating on underground forums, increasing the risk of abuse by aspiring criminals.

ESET emphasizes that access to such tools rarely remains confined. The potential for secondary markets to emerge through resale or sharing within closed communities poses a significant risk to cybersecurity. Competing malware families may also adopt elements from BTMOB, making it easier for less skilled criminals to customize payloads and manage campaigns effectively.

Implications for Financial Institutions

The ongoing evolution of Grandoreiro and BTMOB underscores the increasing sophistication of banking malware. Financial institutions must remain vigilant, as these campaigns illustrate a trend toward the reuse of legitimate services and the integration of advanced evasion techniques.

WatchGuard notes that the combination of phishing, DLL side-loading, and anti-analysis measures makes these malware campaigns increasingly difficult to detect with traditional defenses. The adaptability of financially motivated threat groups highlights the necessity for enhanced security measures and continuous monitoring to safeguard sensitive data.

As cyber threats continue to evolve, the need for robust cybersecurity protocols becomes more critical. Organizations must prioritize employee training on phishing awareness and invest in advanced threat detection systems to mitigate the risks posed by these sophisticated malware campaigns.

For further insights into the Grandoreiro and BTMOB malware campaigns, visit cyberwarriorsmiddleeast.com.

For ongoing coverage and breaking updates, visit our Latest News section.

Published on 2026-05-28 06:18:00 • By the Editorial Desk