Latin America and Europe have been targeted by two banking Trojan campaigns aimed at infecting Windows and Android devices with Grandoreiro and BTMOB malware, respectively.
This is according to new research published by WatchGuard and ESET, who observed these two malware families being used to identify companies in Spain, Portugal, and Mexico, as well as mobile users in Brazil.
WatchGuard researcher Euler Neto said the Grandoreiro campaign “targets Portuguese banks using a DLL sideloading technique that exploits four different pieces of software.”
Grandoreiro is an actively evolving banking malware that has been active since 2016 and is capable of stealing credentials associated with thousands of financial institutions across 45 countries and territories. It is usually distributed through phishing emails and instructs recipients to click on a perfunctory link.
Despite several arrests and attempts by Brazilian authorities to dismantle the infrastructure in early 2024, the malware continues to expand its targeting while incorporating CAPTCHA checks to thwart analysis.
The latest campaign reported by WatchGuard was found to utilize DLL sideloading to launch DLLs developed in Delphi 11, a programming language commonly used for malware targeting this region. Two of the DLLs (mingwm10.dll and libwebp.dll) were found to include sgcWebSockets, a WebSocket and real-time communications library for peer-to-peer (P2P) and WebRTC communications.
“The DLLs involved in this case use the Session Traversal Utilities for NAT (STUN) protocol, which allows devices behind a NAT to discover public IP addresses and port numbers and enable peer-to-peer communication,” WatchGuard explained.
“The advantage of attackers using web conferencing traffic in their campaigns is that this traffic is noisy and difficult to monitor, and WebRTC is commonly used by all major web conferencing platforms.”
Two other DLLs associated with this campaign are libffi-6.dll and libpng15.dll. They utilize the Interactive Connection Establishment (ICE) protocol instead of STUN to accomplish the same purpose. These files specifically refer to banks and financial institutions operating in Portugal, such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander. Revolut and Wise are also eligible.
WatchGuard also said it has identified another campaign in which phishing emails are used to deliver ZIP archives hosted on Mediafire. This file contains an obfuscated Visual Basic script that launches an executable that prompts the user to update Adobe Reader by clicking a button embedded in the alert.
This triggers a series of checks aimed at evading detection and complicating malware analysis before launching the final payload to steal banking information and sensitive data. Some of the tactics overlap with the previous Grandoreiro campaign detailed by Kaspersky in October 2024.
“The bigger story here is not just that Grandreiro is still active,” WatchGuard said. “That means financially motivated threat groups continue to adapt quickly, reuse legitimate services, and hide within traffic patterns that many organizations may already trust.”
“These campaigns demonstrate how the combination of phishing, DLL sideloading, WebRTC-related components, cloud service exploitation, and anti-analytics checks make it difficult to detect banking malware using surface-level defenses alone.”
BTMOB offers ready-made campaign tools
This disclosure is consistent with ESET’s report on BTMOB, an Android remote access Trojan (RAT) that first appeared in February 2025. BTMOB has features such as unlocking the device, capturing screenshots, logging keystrokes, automating credential theft through HTML injection when opening certain apps, and enabling remote control. Later iterations introduced the ability to obtain an Alipay PIN.
“RAT also comes with an APK builder interface, allowing anyone to generate new payloads and quickly adapt fishing lures to specific regions without writing any code,” said ESET researcher Daniel Cunha Barbosa.
These ready-made tools further reduce the time and effort required to compromise an entire device. The main way malware spreads is through social engineering, where users are sent links to fake websites that pretend to be streaming services or cryptocurrency mining platforms.
These sites redirect victims to a list of fake Google Play Store apps and persuade them to install Android package (APK) files containing malware. Once installed, the malware asks for permission to use Android accessibility services and uses them to grant itself additional system access without user interaction.
BTMOB is considered a successor to the CraxsRAT, CypherRAT, and SpySolr families. As of May 2026, the latest version of this malware is 4.5.5, which claims to offer enhanced APK protection and compatibility with the latest Google Play updates.
The X profile allegedly linked to the malware posted on May 1, 2026 states, “This update is all about speed and stability. We’ve expanded our infrastructure and improved our builder to help you stay ahead of the latest mobile security patches.”
This Trojan is being advertised by a threat actor named EVLF (@craxso) for a monthly fee of $700. According to a YouTube video shared by the malware author on May 1, 2026, a perpetual license is worth $1,200. Complete server source code is available for $7,000 and allows customers to host a command and control (C2) panel on their own infrastructure.
Just this week, the X profile also shared a link to a Medium article about “How BTMOB RAT turns Android phones into remote-controlled weapons,” which has been “rapidly evolving” since early 2025.
“They hack into phishing sites, use accessibility services, and turn your phone into a puppet,” the article says. “Hackers monitor your screen live. They steal your banking details. They can even mine cryptocurrencies in the background while you scroll through Instagram.”
Interestingly, this article was published by an account named “CraxsRAT Main Developer”. The account’s bio describes them as “skilled and resourceful cybercriminals who have built a profitable cybercrime enterprise by selling advanced RAT malware to other threat actors.”
The fact that BTMOB is sold under a malware-as-a-service (MaaS) model risks lowering the barrier to entry for less sophisticated attackers. This is further exacerbated by reports that leaked versions are already circulating on underground forums and Telegram, increasing the risk of misuse by copycats and other would-be criminals.
“Access is unlikely to be permanently locked down, and the tool may find its way onto the secondary market through resale, bartering, or sharing within closed groups,” ESET said. “Competing malware families can also copy several elements that make payload customization and campaign management easier for less skilled criminals.”
In an analysis of the leaked BTMOB RAT development toolkit published in December 2025, Italian cybersecurity firm D3Lab said it included the source code of the Android payload, its dropper, builder environment, operator panel for Windows, C2 backend, and all software dependencies needed to deploy the platform.
“The BTMOB leak provides a rare perspective into the inner workings of the modern Android RAT-as-a-Service ecosystem,” D3Lab noted at the time. “This shows that threat actors are operating not just as developers selling toolkits, but as service providers enforcing licensing, certification, and version control on their customers.”
Source link
