Grandoreiro (Windows Banking Trojan)

-

 



Takeaway: A mature, Delphi‑based banking trojan active since 2016, now using DLL side‑loading, P2P communications, and anti‑analysis techniques to steal banking credentials across 45+ countries.

What it is

  • A Windows banking trojan targeting thousands of financial institutions globally.

  • Active since 2016, continuously updated, and operated as Malware‑as‑a‑Service (MaaS).

Recent Campaigns (2024–2026)

  • Targeting Spain, Portugal, Mexico, and expanding globally after law‑enforcement pressure.

  • Distributed via phishing emails with malicious links or ZIP/VBS loaders.

  • Uses DLL side‑loading through legitimate software to evade detection.

  • Incorporates CAPTCHA checks to resist sandboxing and automated analysis.

Technical Capabilities

  • Credential theft for banks and fintechs (Santander, Revolut, Wise, etc.).

  • DLL side‑loading using Delphi‑built DLLs (e.g., mingwm10.dll, libwebp.dll).

  • P2P/WebRTC communications using STUN/ICE to blend into noisy conferencing traffic.

  • Anti‑analysis: obfuscation, CAPTCHA, environment checks.

  • Outlook abuse: can harvest email addresses and send phishing emails from infected hosts.

Why it matters

Grandoreiro is no longer a regional threat—it now targets 1,500+ banks in 60+ countries, with daily‑rotating C2 domains and increasingly sophisticated evasion.

BTMOB (Android RAT)

Takeaway: A powerful Android RAT with full‑device takeover capabilities, sold via MaaS with an APK builder, enabling low‑skill actors to run advanced mobile campaigns.

What it is

  • A Remote Access Trojan for Android, first described in 2025.

  • Evolved from the SpySolr malware family.

  • Designed for complete device compromise, not just banking fraud.

Distribution

  • Delivered via phishing websites, fake streaming/mining platforms, and fake app stores.

  • Operators tailor lures to specific countries (e.g., impersonating Argentina’s tax authority).

  • Sold openly via Telegram, X, and Instagram as a MaaS product.

Technical Capabilities

  • Accessibility Service abuse for privilege escalation.

  • Screen recording, screenshot capture, keystroke harvesting.

  • Remote control of the device.

  • Data exfiltration across multiple categories.

  • APK builder allows anyone to generate new malicious apps without coding.

Why it matters

BTMOB dramatically lowers the barrier to entry for Android‑focused cybercrime. Its builder and social‑media‑based sales pipeline make it easy for unskilled actors to launch region‑specific campaigns.

If you want, I can also produce:

  • A SOC‑ready detection matrix for both malware families

  • A North Carolina–specific advisory for staff and family

  • A technical deep‑dive into DLL side‑loading or Android Accessibility exploitation



Comments

Post a Comment