Grandoreiro and BTMOB RAT Campaigns Target Windows and Android Users

Overview of Grandoreiro and BTMOB Campaigns

Recent threat intelligence reports have identified a surge in coordinated financial Phishing campaigns targeting users across Europe and Latin America. According to The Hacker News, security researchers at WatchGuard and ESET have tracked two distinct malware families—Grandoreiro and BTMOB—designed to compromise Windows and Android environments, respectively. These campaigns primarily single out corporate entities in Spain, Portugal, and Mexico, while simultaneously targeting mobile banking users in Brazil.

These activities underscore the persistence of regional TTP variations, where malware authors customize their lures and delivery mechanisms to bypass local security controls and exploit regional financial infrastructure. The simultaneous deployment of desktop and mobile threats suggests a holistic approach by threat actors to circumvent multi-factor authentication (MFA) by compromising both the primary workstation and the secondary authentication device.

Technical Analysis: Grandoreiro Windows Banking Trojan

Grandoreiro remains one of the most prolific modular banking trojans in the Latin American market. The malware is typically delivered via malicious email attachments or links that lead to the download of a ZIP archive containing a heavily obfuscated loader. Once executed, the loader communicates with its C2 infrastructure to fetch the main payload.

Grandoreiro banking trojan detection and mitigation

Detecting Grandoreiro requires a focus on its unique behavior, such as its use of large, padded binaries to evade automated sandbox analysis. The malware frequently employs window overlays that mimic legitimate banking portals to harvest credentials in real-time. Analysts monitoring for IoC should look for unauthorized attempts to interact with web browsers or the creation of unusual registry keys for persistence. Effective mitigation involves deploying EDR solutions that can identify behavioral anomalies, such as unexpected API calls associated with screen scraping or keyboard logging. Organizations should also enforce Zero Trust principles, ensuring that even internal communications are scrutinized for signs of lateral movement or unauthorized data exfiltration.

Technical Analysis: BTMOB Android RAT

While Grandoreiro dominates the Windows landscape, the BTMOB Remote Access Trojan (RAT) has emerged as a significant threat to Android users, particularly in Brazil. BTMOB is often distributed through deceptive websites masquerading as legitimate utility or security applications.

Android BTMOB RAT technical analysis

From a technical standpoint, BTMOB leverages Android’s Accessibility Services to gain extensive control over the infected device. This allows the malware to read screen content, intercept SMS messages, and interact with other applications without user intervention. By capturing SMS-based one-time passwords (OTPs), BTMOB enables attackers to finalize fraudulent transactions initiated via the desktop-based Grandoreiro infection. Security teams should map these behaviors against the MITRE ATT&CK framework, specifically focusing on mobile-centric techniques like input injection and credential theft via overlays.

Impact on Spanish and Mexican banking malware campaigns

These Spanish and Mexican banking malware campaigns represent a strategic shift toward more persistent, cross-platform targeting. By focusing on these specific demographics, attackers can leverage linguistic nuances and familiar branding to increase the success rate of their social engineering efforts. The SOC must prioritize the ingest of regional threat feeds into their SIEM to stay ahead of the rapid iterations observed in these campaigns. Because these threats often bypass traditional signature-based defenses, a proactive hunting strategy is necessary to identify signs of initial access before the full banking payload is deployed.

Actionable Recommendations

• Enhance Endpoint Protection: Ensure that EDR and mobile threat defense (MTD) solutions are configured to block unauthorized use of Accessibility Services on Android and detect overlay window creation on Windows.
• Email Security: Implement advanced filtering to scan for the specific zip-based delivery methods used in Grandoreiro campaigns, paying close attention to lures related to tax documents or legal notices.
• User Training: Conduct targeted awareness sessions for employees in high-risk regions (Spain, Mexico, Portugal, Brazil) regarding the risks of side-loading applications or clicking links in unsolicited emails.