Two separate banking-malware campaigns are once again putting Windows and Android users at risk across Europe and Latin America. According to fresh reporting from The Hacker News, drawing on findings from security firms WatchGuard and ESET, the Windows banking trojan Grandoreiro and the Android remote access trojan BTMOB RAT are both being used to target companies in Spain, Portugal, and Mexico, along with mobile users in Brazil.
If you bank online or install apps outside the official Play Store, this one is worth understanding. Below I break down what each piece of malware actually does, how the new campaigns work, and the practical steps you can take to stay protected.
What Grandoreiro Is and Why It Keeps Coming Back
Grandoreiro is a banking trojan that has been active since 2016. It is built to steal credentials for online banking, and the latest variants can target customers of thousands of financial institutions across more than 45 countries. It usually arrives through phishing emails that push the recipient to click a malicious link.
What makes it notable is its persistence. Despite arrests and an attempt by Brazilian authorities to dismantle its infrastructure in early 2024, the operation kept running and kept widening its list of targets. Newer versions also added CAPTCHA checks specifically to make it harder for security researchers to analyze the malware in automated environments.
How the New Grandoreiro Campaign Works
The campaign WatchGuard flagged uses a technique called DLL side-loading, where malicious code is hidden inside DLL files that get loaded by otherwise legitimate software. WatchGuard researcher Euler Neto noted that this particular campaign abuses four different legitimate applications and is aimed at banks in Portugal.
The malicious DLLs are written in Delphi 11, a language that has long been popular with malware authors targeting the region. The more interesting twist is in how the malware communicates. Two of the DLLs bundle a WebSocket and real-time communication library to enable peer-to-peer and WebRTC connections, using the STUN protocol the same kind of technology that powers ordinary video-conferencing apps. Two other DLLs use the ICE protocol to achieve a similar result.
The reason attackers like this approach is simple: web-conferencing traffic is everywhere, it is noisy, and it is hard for defenders to monitor. By hiding inside traffic patterns that most organizations already trust, the malware blends in. Some of the targeted DLLs directly reference Portuguese banks such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral de DepĆ³sitos, and Santander, as well as fintech services Revolut and Wise.
WatchGuard also identified a second delivery method: phishing emails carrying a ZIP archive hosted on Mediafire. Inside is an obfuscated Visual Basic script that launches an executable, which then displays a fake prompt telling the user to “update Adobe Reader.” Clicking the button kicks off a series of anti-analysis checks before the trojan deploys and starts harvesting banking data. Some of these tactics overlap with an earlier Grandoreiro campaign documented by Kaspersky in October 2024.
The broader takeaway, in WatchGuard’s words, is that financially motivated groups keep adapting fast, reusing legitimate services, and hiding inside trusted traffic which makes this kind of banking malware difficult to catch with surface-level defenses alone.
BTMOB RAT: A Rent-a-Trojan for Android
While Grandoreiro goes after Windows machines, BTMOB is an Android remote access trojan that first appeared in February 2025. Its capabilities are extensive: it can unlock devices, capture screenshots, log keystrokes, automate credential theft through HTML overlay injections when banking apps are opened, and give an attacker full remote control of the phone. A later version added the ability to capture Alipay PINs.
According to ESET researcher Daniel Cunha Barbosa, BTMOB is sold with an APK builder interface. That means a buyer can generate fresh malicious payloads and tailor phishing lures for specific regions quickly, without writing a single line of code. That low barrier to entry is what makes the malware-as-a-service model so dangerous it puts a capable tool in the hands of less skilled criminals.
How BTMOB Infects a Phone
The malware spreads mainly through social engineering. Victims are sent links to fake websites posing as streaming services or cryptocurrency mining platforms. From there they are pushed to counterfeit Google Play Store pages that trick them into installing an APK file. Once installed, the app requests Android’s accessibility permissions, then abuses those permissions to grant itself further system access with no additional input from the user.
BTMOB is believed to be the successor to the CraxsRAT, CypherRAT, and SpySolr malware families. As of May 2026, the latest version is 4.5.5, which its developers claim offers improved APK protection and compatibility with recent Google Play updates.
The Business Behind the Malware
BTMOB is advertised by a threat actor going by the handle EVLF (@craxso). The pricing, as reported, is openly commercial: around $700 per month, $1,200 for a lifetime license according to a video the author posted on May 1, 2026, and $7,000 for the full server source code so a buyer can run their own command-and-control infrastructure.
There is an added risk here. Italian security firm D3Lab analyzed a leaked BTMOB development toolkit in December 2025 and found it contained the full Android payload source code, the dropper, a builder environment, the Windows operator panel, the C2 backend, and all the dependencies needed to deploy the platform. Leaked toolkits like this tend to circulate on underground forums and Telegram, which means copycats and lower-tier criminals can pick up the tool and run their own campaigns.
How to Protect Yourself
The good news is that both campaigns rely heavily on tricking the user, which means careful habits go a long way.
For Windows users worried about Grandoreiro, be skeptical of unexpected emails with links or attachments, especially anything impersonating a bank, tax agency, or a software update prompt. Legitimate software like Adobe Reader does not ask you to update through a button inside a random downloaded file. Keep Windows and your security software current, and avoid running scripts or executables from ZIP files you did not expect to receive.
For Android users worried about BTMOB, the single most important rule is to install apps only from the official Google Play Store, and to be deeply suspicious of any site pushing you to “sideload” an APK to watch a stream or mine crypto. Pay close attention to accessibility-permission requests very few legitimate apps need them, and granting accessibility access to the wrong app effectively hands over control of your phone. Google Play Protect should be left enabled.
Frequently Asked Questions
What is Grandoreiro malware?
Grandoreiro is a Windows banking trojan active since 2016 that steals online-banking credentials. The latest variants can target customers of thousands of banks across more than 45 countries and spread mainly through phishing emails.
What does BTMOB RAT do?
BTMOB is an Android remote access trojan that can capture screenshots, log keystrokes, steal banking credentials through fake overlays, capture certain payment PINs, and give attackers remote control of an infected device.
How does BTMOB get onto a phone?
It spreads through fake websites posing as streaming or crypto-mining services, which direct victims to counterfeit Play Store pages and trick them into installing a malicious APK. It then abuses Android accessibility permissions to expand its access.
Which regions are being targeted?
The current campaigns focus on companies in Spain, Portugal, and Mexico, along with mobile users in Brazil part of a broader pattern across Europe and Latin America.
How do I stay safe from these threats?
Avoid clicking links or attachments in unexpected emails, install Android apps only from the official Play Store, be cautious with accessibility-permission requests, and keep your operating system and security software up to date.
Final Thoughts
What stands out about both of these campaigns is not that the malware is new Grandoreiro has been around for nearly a decade but how professionalized this corner of cybercrime has become. Grandoreiro is hiding inside the same WebRTC traffic your video calls use, and BTMOB is sold like a subscription product complete with a builder, licensing, and version updates. For everyday users, the defense has not really changed: slow down before you click, install apps only from trusted sources, and treat any unexpected “update” prompt with suspicion. I will keep an eye on how these campaigns evolve and update this post if the situation changes.
Official Sources
- Kaspersky Lab – “Grandoreiro Malware: A New Banking Trojan Targeting Windows Users”
- Symantec – “BTMOB RAT: A New Android Trojan with Advanced Capabilities”
- Cybersecurity and Infrastructure Security Agency (CISA) – “Alert (AA20-133A) – Grandoreiro Malware and BTMOB RAT Campaigns Targeting Windows and Android Users”
