Executive Summary
The cybersecurity landscape is witnessing a surge in sophisticated malware campaigns targeting both Windows and Android platforms, with the emergence of the Grandoreiro banking trojan and the BTMOB RAT remote access trojan. These threats are orchestrated by financially motivated actors leveraging advanced evasion techniques, social engineering, and malware-as-a-service (MaaS) models. The primary targets are financial institutions and their customers, particularly in Latin America and Europe, but the global risk is escalating due to the rapid proliferation and adaptability of these malware families. This advisory provides a comprehensive technical analysis, exploitation patterns, victimology, and actionable mitigation strategies to help organizations defend against these evolving threats.
Threat Actor Profile
The operators behind Grandoreiro and BTMOB RAT are primarily financially motivated cybercriminals, not directly attributed to any nation-state advanced persistent threat (APT) groups. Grandoreiro is believed to be developed and maintained by Brazilian cybercrime syndicates, with infrastructure and campaigns traced back to Brazil, Spain, Portugal, and Mexico. Despite law enforcement actions in Brazil in early 2024, the threat actors have demonstrated resilience, rapidly reconstituting their infrastructure and expanding their targeting scope.
BTMOB RAT is distributed as a MaaS offering by the actor known as "EVLF" (alias @craxso), who markets the toolkit on underground forums and Telegram channels. The MaaS model has significantly lowered the barrier to entry, enabling less technically skilled actors to launch sophisticated Android attacks. The BTMOB ecosystem includes an APK builder, command-and-control (C2) backend, operator panel, and dropper, with leaked versions further amplifying its reach.
Technical Analysis of Malware/TTPs
Grandoreiro (Windows Banking Trojan)
Grandoreiro is a Delphi-based banking trojan active since 2016, with a primary focus on financial institutions in Spain, Portugal, and Latin America. The malware is delivered via phishing emails containing malicious links or ZIP archives, often hosted on Mediafire. The ZIP archive typically contains an obfuscated Visual Basic Script (VBS) that, when executed, launches a disguised executable—commonly masquerading as an Adobe Reader update prompt.
A hallmark of Grandoreiro is its use of DLL side-loading to evade detection. The malware abuses legitimate DLLs such as mingwm10.dll, libwebp.dll, libffi-6.dll, and libpng15.dll, loading them alongside benign applications to execute malicious payloads. The trojan employs advanced anti-analysis techniques, including CAPTCHA challenges, anti-virtual machine (VM), and anti-sandbox checks to thwart automated analysis and reverse engineering.
For command-and-control, Grandoreiro leverages the sgcWebSockets library to establish peer-to-peer (P2P) and WebRTC-based communications. It utilizes STUN (Session Traversal Utilities for NAT) and ICE (Interactive Connectivity Establishment) protocols for NAT traversal, blending malicious C2 traffic with legitimate web conferencing protocols, thereby complicating network-based detection.
The malware's configuration is highly modular, enabling dynamic targeting of specific banks such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, Revolut, and Wise. It is capable of real-time web injection, credential harvesting, and session hijacking, allowing attackers to bypass multi-factor authentication and initiate fraudulent transactions.
BTMOB RAT (Android Remote Access Trojan)
BTMOB RAT is a highly modular Android remote access trojan first observed in February 2026. It is distributed via phishing sites impersonating streaming or cryptocurrency platforms, fake Google Play Store listings, and direct APK downloads. The malware is engineered to compromise a wide range of Android versions, from 7.0 (Nougat) to the latest releases as of 2026.
Upon installation, BTMOB RAT aggressively requests Android Accessibility Services to escalate privileges, enabling it to self-grant additional permissions and achieve persistent device control. Its capabilities include device unlocking, screenshot capture, keystroke logging, HTML injection for credential theft (particularly targeting banking apps), remote control, Alipay PIN theft, live screen viewing, and background cryptocurrency mining.
The MaaS model, orchestrated by "EVLF" (@craxso), offers a comprehensive toolkit with an APK builder, C2 backend, operator panel, and dropper. The toolkit is sold for $700/month, $1,200 lifetime, or $7,000 for full source code, with leaked versions circulating on underground forums and Telegram. The builder allows rapid customization of payloads, facilitating targeted campaigns and evasion of static detection.
BTMOB RAT communicates with its C2 infrastructure using encrypted channels, with infrastructure customizable per campaign. The malware's modularity and accessibility have led to widespread adoption, with both skilled and novice actors deploying it for credential theft, financial fraud, and device exploitation.
Exploitation in the Wild
Both Grandoreiro and BTMOB RAT are actively exploited in the wild, with campaigns observed across Latin America, Europe, and increasingly, other regions. Grandoreiro campaigns typically begin with phishing emails targeting bank customers, leveraging cloud storage services like Mediafire for payload delivery. The use of WebRTC and P2P protocols for C2 communication enables the malware to evade traditional network monitoring solutions.
BTMOB RAT campaigns exploit social engineering, luring victims to install malicious APKs from phishing sites mimicking legitimate platforms. The malware's abuse of accessibility services grants it deep system access, allowing for real-time credential theft and device manipulation. The MaaS distribution model has resulted in a proliferation of campaigns, with threat actors rapidly customizing payloads to bypass security controls and target specific financial institutions.
Law enforcement actions have had limited impact, as both malware families demonstrate rapid infrastructure regeneration and adaptation. The availability of builder kits and leaked versions further exacerbates the threat, enabling a broad spectrum of actors to participate in these campaigns.
Victimology and Targeting
Grandoreiro primarily targets customers of financial institutions in Spain, Portugal, Mexico, and other Latin American countries, with recent campaigns expanding into Europe. The malware's configuration files explicitly reference banks such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, Revolut, and Wise. Victims are typically lured via phishing emails crafted in the local language, increasing the likelihood of successful compromise.
BTMOB RAT targets Android users globally, with a concentration in Brazil due to the actor's origin and initial campaigns. However, the MaaS model and leaked versions have facilitated global dissemination, with campaigns observed in Europe, Asia, and North America. The primary victims are individuals using Android devices, particularly those engaging with financial, streaming, or cryptocurrency platforms. The malware's ability to inject HTML overlays and capture credentials from banking apps makes it especially dangerous for users of mobile financial services.
Mitigation and Countermeasures
To defend against Grandoreiro, organizations should implement robust email filtering to block phishing attempts, monitor for DLL side-loading activity involving mingwm10.dll, libwebp.dll, libffi-6.dll, and libpng15.dll, and inspect network traffic for anomalous WebRTC, STUN, and ICE protocol usage, particularly from endpoints not expected to use conferencing tools. Blocking access to known phishing and file-sharing domains such as Mediafire at the network gateway is recommended. Endpoint detection and response (EDR) solutions should be configured to detect suspicious VBS execution and unauthorized DLL loading.
For BTMOB RAT, organizations managing Android devices should enforce policies that block installation of APKs from unknown sources, monitor for applications requesting accessibility services without legitimate justification, and educate users about the risks of phishing sites mimicking the Google Play Store and popular streaming or crypto platforms. Mobile device management (MDM) solutions should be leveraged to restrict app installations and monitor for indicators of compromise, such as unauthorized accessibility service activation and suspicious outbound connections.
User awareness training is critical for both threats, emphasizing the dangers of unsolicited emails, suspicious links, and unauthorized app installations. Regular updates to threat intelligence feeds and proactive monitoring for emerging indicators of compromise will enhance organizational resilience against these evolving malware campaigns.
References
The Hacker News - Grandoreiro Malware and BTMOB RAT Campaigns, Kaspersky Grandoreiro Analysis, IBM X-Force Grandoreiro Analysis, ESET Research, D3Lab BTMOB Leak Analysis, WatchGuard Threat Lab, Reddit SecOpsDaily.
About Rescana
Rescana empowers organizations to proactively manage third-party risk with our advanced TPRM platform, delivering actionable intelligence and continuous monitoring to safeguard your digital ecosystem. Our solutions enable you to identify, assess, and mitigate cyber threats across your supply chain, ensuring robust security posture and regulatory compliance.
For further information or to discuss tailored threat intelligence solutions, we are happy to answer your questions at ops@rescana.com.
