In a recent development, two distinct malware campaigns have drawn attention for targeting Windows and Android platforms. These campaigns, identified as Grandoreiro and BTMOB, are specifically aimed at banking institutions and individual users in Latin America and Europe.
Grandoreiro Malware Campaign
WatchGuard and ESET have reported that the Grandoreiro banking trojan is currently targeting financial entities in Spain, Portugal, and Mexico. This malware has been operational since 2016 and continues to evolve, posing a significant threat through phishing emails that lure recipients into clicking malicious links.
Despite efforts to dismantle its infrastructure, Grandoreiro has expanded its reach, employing CAPTCHA checks to evade detection. The malware campaign leverages DLL side-loading, utilizing libraries like mingwm10.dll and libwebp.dll, which incorporate WebRTC communication for peer-to-peer data exchange. This technique complicates monitoring and analysis due to the noisy nature of web conferencing traffic.
Additional libraries, such as libffi-6.dll and libpng15.dll, use ICE protocols to achieve similar goals, targeting banks like Abanca and Santander in Portugal. The campaign’s sophistication underscores the persistent threat posed by financially motivated cybercriminals.
BTMOB RAT: A New Threat on Android
Alongside the Grandoreiro campaign, ESET has highlighted the emergence of BTMOB, a remote access trojan targeting Android devices. First detected in February 2025, this malware allows attackers to unlock devices, capture sensitive information, and exert remote control, all facilitated through social engineering tactics.
BTMOB spreads through fake websites, posing as legitimate app listings on Google Play Store. Once installed, it exploits Android’s accessibility services to gain further control, making it a formidable tool in the hands of cybercriminals. The malware is sold as a service, lowering entry barriers for less skilled attackers.
Implications and Future Outlook
The continued activity of these malware campaigns highlights the adaptability of threat actors who exploit legitimate services and disguise malicious activities within trusted traffic patterns. The availability of ready-made tools like BTMOB further democratizes cybercrime, making sophisticated attacks accessible to a broader range of perpetrators.
As these campaigns evolve, it is crucial for individuals and organizations to remain vigilant, implementing robust security measures and staying informed about emerging threats. Cybersecurity experts emphasize the importance of comprehensive defenses that go beyond surface-level monitoring to detect and mitigate these sophisticated attacks.
