Emerging Cyber Threats: Grandoreiro and BTMOB Malware Campaigns Target Windows and Android Users
Recent cybersecurity analyses have unveiled two sophisticated malware campaigns targeting users across Latin America and Europe. The Grandoreiro banking trojan is compromising Windows systems, while the BTMOB remote access trojan (RAT) is infiltrating Android devices.
Grandoreiro’s Persistent Threat
Active since 2016, Grandoreiro is a banking malware designed to steal credentials from thousands of financial institutions across 45 countries. Typically disseminated through phishing emails, it prompts recipients to click on malicious links, leading to infection. Despite law enforcement efforts, including arrests and infrastructure dismantling by Brazilian authorities in early 2024, Grandoreiro has not only persisted but expanded its reach. Notably, it has incorporated CAPTCHA checks to evade automated analysis.
In its latest campaign, Grandoreiro employs DLL side-loading, a technique that exploits legitimate software to execute malicious code. Researchers at WatchGuard identified the malware abusing four different software applications to target banks in Portugal. The malicious DLLs, developed in Delphi 11—a language prevalent in regional malware—utilize the sgcWebSockets library for peer-to-peer (P2P) and WebRTC communications. This approach leverages the Session Traversal Utilities for NAT (STUN) protocol, enabling devices behind NAT to discover their public IP addresses and facilitate P2P communication. By embedding malicious traffic within legitimate web conferencing data, Grandoreiro becomes more challenging to detect.
Additionally, other DLLs in the campaign employ the Interactive Connectivity Establishment (ICE) protocol to achieve similar objectives. These files specifically reference Portuguese financial institutions, including Abanca, Banco de Portugal, BBVA PT, Caixa Geral de Depósitos, and Santander, as well as fintech companies like Revolut and Wise.
Another observed tactic involves phishing emails delivering a ZIP archive hosted on Mediafire. This archive contains an obfuscated Visual Basic Script that, when executed, displays a prompt urging users to update Adobe Reader. Clicking the embedded button initiates a series of anti-analysis checks before deploying the final payload to harvest banking information and sensitive data. These methods align with previous Grandoreiro campaigns, underscoring the malware’s adaptability and resilience.
BTMOB: A New Android Threat
Concurrently, ESET researchers have identified BTMOB, an Android RAT that emerged in February 2025. BTMOB possesses capabilities to unlock devices, capture screenshots, log keystrokes, and automate credential theft through HTML injections when specific apps are opened. A subsequent version introduced the ability to capture Alipay PINs, indicating a focus on financial data theft.
BTMOB is distributed with an APK builder interface, allowing individuals to generate new payloads and tailor phishing lures for specific regions rapidly, without requiring coding skills. This accessibility lowers the barrier for conducting full device compromises. The primary distribution method involves social engineering tactics, directing users to fraudulent websites masquerading as streaming services or cryptocurrency mining platforms. From these sites, victims are led to fake Google Play Store listings, tricking them into installing malicious APK files. Once installed, the malware requests permissions to use Android’s accessibility services, subsequently granting itself additional system access without user interaction.
BTMOB is considered the successor to malware families like CraxsRAT, CypherRAT, and SpySolr. As of May 2026, its latest version, 4.5.5, boasts enhanced APK protection and compatibility with recent Google Play updates. The malware is marketed by a threat actor known as EVLF (@craxso) for $700 per month, with a lifetime license priced at $1,200. The complete server source code is available for $7,000, enabling customers to host command-and-control (C2) panels on their infrastructure.
The malware-as-a-service (MaaS) model employed by BTMOB increases the risk of widespread abuse, as it allows less sophisticated threat actors to deploy advanced malware. Reports indicate that leaked versions are circulating on underground forums and Telegram channels, further amplifying the potential for misuse. Italian cybersecurity firm D3Lab analyzed the leaked BTMOB RAT development toolkit in December 2025, revealing it includes the Android payload source code, its dropper, a builder environment, the operator panel for Windows, the C2 backend, and all necessary software dependencies. This comprehensive toolkit underscores the threat actor’s role as a service provider, enforcing licensing, authentication, and version control over their customers.
Implications and Recommendations
The resurgence and evolution of Grandoreiro and the emergence of BTMOB highlight the dynamic nature of cyber threats targeting financial institutions and users. These campaigns demonstrate the adaptability of threat actors, who continually refine their methods to evade detection and exploit new vulnerabilities.
To mitigate these threats, individuals and organizations should adopt comprehensive cybersecurity measures:
– Vigilance Against Phishing: Exercise caution with unsolicited emails, especially those urging immediate action or containing unexpected attachments or links.
– Software Updates: Regularly update operating systems and applications to patch known vulnerabilities.
– Security Software: Utilize reputable antivirus and anti-malware solutions to detect and prevent infections.
– Access Controls: Limit the use of administrative privileges and implement the principle of least privilege to reduce the impact of potential breaches.
– User Education: Conduct regular training sessions to educate users about recognizing and responding to social engineering attacks.
By staying informed and implementing robust security practices, users and organizations can better defend against the evolving landscape of cyber threats posed by malware like Grandoreiro and BTMOB.
