Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users
Latin America and Europe are the targets of two banking trojan campaigns designed to infect Windows and Android devices with the Grandoreiro and BTMOB malware, respectively.
That’s according to new findings from WatchGuard and ESET, which saw two families of malware being used to target companies in Spain, Portugal, and Mexico, as well as mobile users in Brazil.
The Grandoreiro campaign “uses a DLL Side-Loading technique exploiting four different software, targeting banks in Portugal,” said WatchGuard researcher Euler Neto.
Active since 2016, Grandoreiro is a dynamic banking malware capable of stealing information associated with thousands of financial institutions in 45 countries and territories. Often distributed via phishing emails, it instructs recipients to click on graphical links.
Despite the arrests and attempts by the Brazilian authorities to dismantle its infrastructure in early 2024, the malware continued to expand its target area, while also incorporating CAPTCHA checks to prevent analysis.
A recent campaign flagged by WatchGuard was found to leverage DLL sideloading to launch DLLs developed for Delphi 11, a programming language commonly used for region-targeted malware. Two DLLs – mingwm10.dll and libwebp.dll – were found to include sgcWebSockets, a WebSocket and real-time library for peer-to-peer (P2P) and WebRTC communications.
“The DLLs associated with this case use the Session Traversal Utilities protocol for NAT (STUN), which is a protocol that helps devices behind NAT to find their public IP address and port number, facilitating peer-to-peer communication,” explained WatchGuard.
“The advantage for threat actors to use web conferencing traffic in their campaigns is because this traffic is noisy, difficult to monitor, and because WebRTC is widely used in all major web conferencing platforms.”
Two other DLLs associated with the campaign are libffi-6.dll and libpng15.dll, which use the Interactive Connectivity Establishment (ICE) protocol instead of STUN to achieve the same goal. These files refer specifically to banks and financial institutions operating in Portugal, such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, and Santander, among others. Other targets are Revolut and Wise.
WatchGuard also said it identified another campaign where phishing emails were used to deliver a ZIP archive hosted at Mediafire. The file contains an obfuscated Visual Basic Script responsible for launching the executable, which displays a message asking users to update Adobe Reader by clicking a button embedded in the notification.
Doing so triggers a series of checks aimed at avoiding detection and complicating the analysis of the malware, before presenting the ultimate burden of paying for the theft of banking information and sensitive data. Some tactics overlap with the previous Grandoreiro campaign described by Kaspersky in October 2024.
“The big story here isn’t just that Grandoreiro still works,” WatchGuard said. “It’s that financially threatened groups continue to adapt quickly, re-use legitimate services, and hide traffic patterns that many organizations may not trust.”
“Combining phishing, DLL sideloading, WebRTC-related components, cloud service abuse, and anti-analytical testing, these campaigns demonstrate how banking malware becomes difficult to detect with only surface protection.”
BTMOB Offers Customizable Campaign Tools
This disclosure is in line with a report from ESET about BTMOB, an Android remote access trojan (RAT) that first appeared in February 2025 has the ability to unlock devices, capture screenshots, keystrokes, automatically steal information through HTML injections when certain apps are opened, and enable remote control. Subsequent iterations introduced the ability to capture Alipay PINs.
“RAT is also sold with an APK builder interface, which allows anyone to generate new payloads and sync phishing threads to specific regions in a quick clip – and without writing any code,” said ESET researcher Daniel Cunha Barbosa.
These ready-made tools further reduce the time and effort required to achieve full device compatibility. The main way the malware spreads is through social engineering, where users are sent links to fake websites masquerading as streaming services or cryptocurrency mining platforms.
From those sites, victims are directed to fake Google Play Store app listings that trick them into installing an Android package (APK) file that contains malware. Once installed, the malware seeks permissions to use Android accessibility services and uses it to grant itself additional system access without user interaction.
BTMOB is believed to be a successor to the CraxsRAT, CypherRAT, and SpySolr families. As of May 2026, the latest version of the malware is 4.5.5, which it says offers improved APK protection and compatibility with the latest Google Play updates.
“This update is all about speed and stability,” the X profile allegedly linked to the malware posted on May 1, 2026. “We’ve expanded our infrastructure and refined the builder to keep you ahead of the latest mobile security.”
The Trojan is advertised by a threat actor named EVLF (@craxso) with a price tag of $700 per month. According to a YouTube video shared by the malware author on May 1, 2026, a lifetime license costs $1,200. The complete server source code is available for $7,000, allowing customers to host command and control (C2) panels in their own infrastructure.
Recently this week, the X profile also shared a link to a Medium article about “how the BTMOB RAT is turning Android phones into remote-controlled weapons,” and it’s “coming soon” from early 2025.
“It sneaks into phishing sites, hijacks accessibility services, and turns your phone into a puppet,” the article reads. “Hackers are watching your screen live. They’re stealing bank details. They’re even holding my crypto in the background while you’re scrolling through Instagram.”
Interestingly, the article was published by an account called “CraxsRAT Main Developer.” The account profile says he is “a skilled and intelligent hacker who has built a lucrative cybercrime business by selling highly sophisticated RAT malware to other threat actors.”
The fact that BTMOB is sold under a malware-as-a-service (MaaS) model risks lowering the barrier to entry for unscrupulous threat actors. This is combined with reports that leaked versions are already circulating on underground forums and Telegram, increasing the risk of exploitation by copycats and other emerging criminals.
“Access is rarely contained forever, and the tool can enter secondary markets through resale, exchange, or sharing within closed groups,” ESET said. “Competing malware families can also copy other features that make custom payment and campaign management easier for less skilled criminals.”
The Italian cybersecurity company D3Lab, in an analysis of the leaked BTMOB RAT development tools published in December 2025, said that it includes the paid Android source code, its dropper, the builder environment, the Windows operator panel, the C2 backend, and all the software dependencies needed to use the platform.
“The BTMOB leak provides a rare glimpse into the inner workings of the modern Android RAT-as-a-Service ecosystem,” D3Lab noted at the time. “It shows that the threat actor is not just working as a developer selling a toolkit, but as a service provider enforcing licensing, authentication, and version control over their customers.”
