Grandoreiro and BTMOB Latin America / Europe malware campaigns

Summary

On May 26-27, 2026, WatchGuard, ESET, and The Hacker News published reporting on two financially motivated malware tracks affecting Europe and Latin America: renewed Grandoreiro Windows banking-malware campaigns and BTMOB Android RAT-as-a-service activity.

The reports are useful together because they show the same defensive theme across desktop and mobile fraud operations: commodity social engineering still initiates compromise, but operators are adding communications camouflage, ready-made builders, and regional lure customization to speed campaign turnover.

Tags

• ops
• operations
• Grandoreiro
• BTMOB
• Android
• RAT
• banking malware
• Malware-as-a-Service
• phishing
• DLL sideloading
• WebRTC
• STUN
• ICE
• Latin America
• Europe
• Portugal
• Brazil
• financial fraud
• credential-theft
• mobile malware

Grandoreiro: Windows banking malware

WatchGuard described Grandoreiro campaigns targeting banks and businesses in Portugal, Spain, Mexico, and Latin America. Grandoreiro has been active since at least 2016 and remained operational after partial law-enforcement disruption of the ecosystem.

Notable current tradecraft:

• Initial access remains phishing-led, including malicious links and ZIP/VBS delivery chains hosted through abused cloud/file-sharing services.
• One campaign uses DLL sideloading with Delphi-built DLLs named libwebp.dll, mingw10.dll, libffi-6.dll, and libpng15.dll.
• Some DLLs incorporate sgcWebSockets / WebRTC-related components and use STUN or ICE-style peer-to-peer communications, blending into traffic patterns defenders may already associate with conferencing or real-time applications.
• Targets and lure logic include Portuguese financial institutions such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, Revolut, and Wise.
• The malware performs anti-analysis checks against sandbox hostnames, security tools, debugger/reversing utilities, VM artifacts, execution paths, installed software, and geolocation signals before final payload activity.

BTMOB: Android RAT-as-a-service

ESET reported that BTMOB, first described in 2025 and evolved from the SpySolr lineage, is a lower-volume but high-impact Android remote-access trojan. The tool is sold with an APK builder and campaign tooling, allowing operators to generate payloads and adapt lures without writing code.

Notable current tradecraft:

• Delivery relies on social engineering that sends victims to phishing pages masquerading as streaming services, cryptocurrency-mining platforms, fake app stores, or region-specific services.
• The installed APK abuses Android Accessibility Services to grant itself expanded permissions with minimal additional user interaction.
• Capabilities include sensitive-data exfiltration, screenshots, activity recording, keylogging, device unlock/control workflows, and remote takeover.
• ESET and THN noted MaaS economics and leak risk: paid access, resale, Telegram/social promotion, and claimed or observed circulation of related files can move the tool beyond its original customer base.
• ESET detections include MSIL/BtmobRat for the builder/tooling side and Android detections such as Android/Spy.Agent.EED, Android/Spy.Agent.EIJ, and Android/Spy.Agent.EIK for related payloads.

Defender heuristics

• Treat Grandoreiro detections as fraud and credential-theft incidents, not just commodity malware; review banking access, browser stores, clipboard activity, and business-payment workflows.
• Add DLL sideloading and unexpected Delphi DLL execution to hunts, especially where file names mimic common libraries and run from user-writable or archive-extracted paths.
• Baseline and alert on unusual WebRTC/STUN/ICE traffic from non-browser/non-conferencing processes.
• For Android fleets, enforce official-store-only installation, block sideloading where possible, monitor Accessibility Service grants, and treat fake-store install attempts as credential-theft precursors.
• Expect BTMOB indicators to churn quickly because builder-generated APKs can change hashes and lures rapidly; prioritize infrastructure patterns, permissions behavior, and Accessibility abuse over single-file hashes.

Sources

• WatchGuard: https://www.watchguard.com/wgrd-security-hub/secplicity-blog/grandoreiro-malware-campaign-targets-europe-and-latin-america
• ESET WeLiveSecurity: https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/
• The Hacker News: https://thehackernews.com/2026/05/grandoreiro-malware-and-btmob-rat.html