Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users

Published:

27 mei 2026 om 16:10:21

Alert date:

27 mei 2026 om 17:00:49

Source:

thehackernews.com

Ransomware & Malware, Mobile & IoT, Data Breach & Exfiltration

Two banking trojan campaigns are actively targeting Latin America and Europe, specifically companies in Spain, Portugal, and Mexico, along with mobile users in Brazil. The campaigns deploy Grandoreiro malware on Windows systems and BTMOB RAT on Android devices. Security researchers from WatchGuard and ESET have identified these coordinated attacks that appear designed to steal banking credentials and financial information from both desktop and mobile users across multiple countries.

Technical details

Grandoreiro campaign uses DLL Side-Loading technique with four different software to target banks in Portugal. The malware leverages Delphi 11 programming language and incorporates sgcWebSockets library for P2P and WebRTC communications. Two DLLs (mingwm10.dll and libwebp.dll) use STUN protocol for NAT traversal, while others (libffi-6.dll and libpng15.dll) use ICE protocol. BTMOB is an Android RAT with capabilities for device unlock, screenshot capture, keystroke logging, HTML injection for credential theft, and remote control. It includes APK builder interface for payload generation and leverages Android accessibility services to gain system access.

Mitigation steps:

Organizations should monitor for DLL side-loading techniques, WebRTC traffic patterns, and suspicious STUN/ICE protocol communications. For Android devices, users should avoid installing APK files from untrusted sources, be cautious of phishing sites masquerading as streaming services or cryptocurrency platforms, and regularly review accessibility service permissions. Implement surface-level defenses beyond basic detection as banking malware is becoming harder to spot with traditional methods.

Affected products:

Windows systems
Android devices
Banking applications from Abanca
Banco de Portugal
BBVA PT
Caixa Geral Depositos
Santander
Revolut
Wise
Adobe Reader
Alipay
Google Play Store

Related links:

https://thehackernews.com/2024/10/new-grandoreiro-banking-malware.html
https://www.watchguard.com/wgrd-security-hub/secplicity-blog/grandoreiro-malware-campaign-targets-europe-and-latin-america
https://thehackernews.com/2024/05/grandoreiro-banking-trojan-resurfaces.html
https://www.esegece.com/help/sgcWebSockets/
https://unit42.paloaltonetworks.com/malware-trending-stun-awareness/
https://www.100ms.live/blog/ice-protocol
https://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain
https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html
https://zimperium.com/blog/from-lock-screen-to-wallets-btmob-rat-now-targets-alipay-pins
https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/
https://thehackernews.com/2026/03/six-android-malware-families-target-pix.html
https://x.com/BT_MOB_RAT/status/2050145095609934077
https://thehackernews.com/2023/08/syrian-threat-actor-evlf-unmasked-as.html
https://www.youtube.com/watch?v=fC9jSOS7tSE
https://medium.com/@craxsratmaindeveloper/the-silent-hijack-how-btmob-rat-is-turning-android-phones-into-remote-controlled-weapons-9dc183c5a2c1
https://www.d3lab.net/inside-btmob-an-analytical-breakdown-of-a-leaked-android-rat-ecosystem/

Related CVE's:

Related threat actors:

EVLF (@craxso)

CraxsRAT Main developer

IOC's:

mingwm10.dll, libwebp.dll, libffi-6.dll, libpng15.dll, Mediafire hosting ZIP archives, sgcWebSockets library usage, STUN protocol communications, ICE protocol communications, Fake Google Play Store listings, BTMOB version 4.5.5

This article was created with the assistance of AI technology by Perceptive.