Grandoreiro and BTMOB Phishing Hit Europe and Latin America

Security researchers at WatchGuard and ESET have identified two phishing campaigns delivering banking malware to Windows systems and a remote-access trojan to Android phones across Europe and Latin America. Grandoreiro infections are aimed at banks in Portugal, Spain and Mexico, while BTMOB targets Android users in Brazil.

WatchGuard researchers reported that Grandoreiro has been active since 2016 and continues to evolve. Recent samples use DLL side-loading to launch Delphi 11 libraries and abuse legitimate applications to load modules such as mingwm10.dll and libwebp.dll. Those files include sgcWebSockets and use the STUN protocol to enable peer-to-peer and WebRTC-style communications. Two other DLLs, libffi-6.dll and libpng15.dll, use the ICE protocol for similar connectivity. The malware references Portuguese banks and digital services including Abanca, Banco de Portugal, BBVA PT, Caixa Geral de Depósitos, Santander, Revolut and Wise.

Delivery methods observed include phishing emails with links or ZIP attachments hosted on cloud services. One campaign used a MediaFire ZIP holding an obfuscated Visual Basic Script that launches an executable showing a fake Adobe Reader update prompt. Activating the prompt triggers checks that verify the environment and try to defeat analysis before deploying the final payload. WatchGuard noted the use of CAPTCHA checks and other anti-analysis steps in recent samples. Arrests and infrastructure disruptions in Brazil in early 2024 did not halt the group’s activity, and targeting expanded after those events.

ESET reported that BTMOB first appeared in February 2025 as an Android RAT capable of unlocking devices, taking screenshots, recording keystrokes, performing HTML-injection credential theft inside targeted apps, and enabling full remote control. Later builds added the ability to capture Alipay PINs. The malware spreads from social-engineering pages that impersonate streaming services or cryptocurrency-mining sites and redirect victims to counterfeit Google Play listings that prompt sideloading of an APK.

After installation, BTMOB requests Android accessibility permissions and uses those services to obtain broader control without further user interaction. The malware is provided with an APK builder that lets customers generate payloads and customize phishing lures without coding. ESET researcher Daniel Cunha Barbosa noted the builder lowers the barrier for attackers. The author using the handle EVLF listed monthly subscriptions around $700, lifetime licenses for about $1,200, and full server source code for $7,000. An X profile linked to the actor posted about version 4.5.5 on May 1, 2026, promoting speed and stability.

Italian firm D3Lab analyzed a December 2025 leak of the BTMOB toolkit and found the package included Android payload source code, a dropper, the builder environment, a Windows operator panel, the command-and-control backend and necessary dependencies. ESET reported that leaked or resold toolkits are circulating in closed groups and underground forums.

Both teams recommended practical controls to reduce exposure: scrutinize email attachments and links, monitor for unusual DLL loads and WebRTC traffic, restrict the ability to sideload Android apps, and limit granting of accessibility permissions on mobile devices.