A sophisticated wave of cyberattacks has been identified, simultaneously deploying the Grandoreiro banking trojan against Windows systems and the BTMOB remote access trojan (RAT) on Android devices, specifically targeting financial institutions and mobile users across Europe and Latin America. This coordinated assault highlights the evolving ingenuity of cybercriminals who are adapting quickly to exploit vulnerabilities and bypass traditional security measures, presenting a formidable challenge to digital security.
The Grandoreiro Resurgence: A Persistent Threat to Financial Institutions
New findings from cybersecurity research firms WatchGuard and ESET detail the Grandoreiro campaign’s focus on companies in Spain, Portugal, and Mexico. Grandoreiro, a formidable banking malware active since at least 2016, has a well-documented history of stealing credentials from thousands of financial institutions across 45 countries and territories. Its longevity and adaptive nature underscore the persistent threat it poses to the global financial sector.
Despite concerted efforts by Brazilian authorities to dismantle its infrastructure and arrest key operators in early 2024, Grandoreiro has demonstrated remarkable resilience. The malware quickly resurfaced, expanding its geographical reach and incorporating new evasion techniques, such as CAPTCHA checks, to resist analysis and detection. This adaptability is a hallmark of sophisticated cybercrime operations, where threat actors continuously refine their tools and tactics to circumvent law enforcement and security measures.
The latest Grandoreiro campaign, as flagged by WatchGuard researcher Euler Neto, is particularly noteworthy for its use of the DLL Side-Loading technique. This method abuses legitimate software processes to load malicious dynamic-link libraries (DLLs), thereby executing the malware in a seemingly benign context. The campaign specifically targets banks in Portugal, leveraging DLLs developed in Delphi 11, a programming language frequently favored by malware authors operating in the region due to its versatility and ability to produce compact executables.
Two of the identified malicious DLLs, mingwm10.dll and libwebp.dll, have been found to incorporate sgcWebSockets, a legitimate WebSocket and real-time communication library. This integration enables the malware to establish peer-to-peer (P2P) and WebRTC (Web Real-Time Communication) communications, allowing for more covert and resilient command-and-control (C2) infrastructure. The use of WebRTC-related components is a strategic move by threat actors. WatchGuard explains that these DLLs utilize the Session Traversal Utilities for NAT (STUN) protocol, which assists devices behind Network Address Translators (NATs) in discovering their public IP addresses and port numbers, crucial for enabling P2P communication. The primary advantage for cybercriminals in leveraging web conferencing traffic is its inherent "noisiness," making it difficult to monitor and distinguish malicious activity from legitimate communications, as WebRTC is commonly employed across major web-conferencing platforms.
Further expanding its operational scope, two other DLLs involved in the campaign, libffi-6.dll and libpng15.dll, employ the Interactive Connectivity Establishment (ICE) protocol instead of STUN to achieve similar communication objectives. These files contain explicit references to a wide array of banks and financial institutions operating within Portugal, including prominent names such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, and Santander. Notably, challenger banks and fintech platforms like Revolut and Wise are also on the target list, indicating a comprehensive approach to credential theft across diverse financial services.
Beyond the DLL side-loading technique, WatchGuard also documented another Grandoreiro campaign employing classic but effective phishing tactics. In this variant, recipients are lured by deceptive emails containing links to ZIP archives hosted on legitimate cloud services like Mediafire. Upon execution, an obfuscated Visual Basic Script embedded within the archive launches an executable that presents a fake Adobe Reader update prompt. This social engineering ploy, once clicked, initiates a series of anti-detection and anti-analysis checks before deploying the final payload, designed to exfiltrate banking information and other sensitive data. These tactics bear a resemblance to a Grandoreiro campaign detailed by Kaspersky in October 2024, underscoring the consistent evolution and shared methodologies within the cybercriminal underworld.
WatchGuard’s analysis emphasizes that the mere persistence of Grandoreiro is not the full story. The deeper narrative reveals how financially motivated threat groups are rapidly adapting, reusing legitimate services to mask their activities, and embedding themselves within trusted traffic patterns that many organizations might overlook. The sophisticated blend of phishing, DLL side-loading, WebRTC-related components, cloud service abuse, and anti-analysis checks illustrates a significant shift. Banking malware is becoming increasingly difficult to detect with only surface-level defenses, necessitating multi-layered security strategies and advanced threat intelligence.
BTMOB: The Android RAT-as-a-Service Threat Takes Hold
Concurrently with the Grandoreiro revelations, ESET has shed light on BTMOB, an Android remote access trojan (RAT) that first surfaced in February 2025. BTMOB is a potent piece of malware, equipped with a comprehensive suite of capabilities designed for extensive device compromise. These include the ability to remotely unlock devices, capture screenshots, log keystrokes, automate credential theft through HTML injections when specific applications are opened, and enable full remote control over the infected smartphone. A subsequent iteration of BTMOB further expanded its malicious toolkit, introducing the ability to specifically capture Alipay PINs, demonstrating a targeted approach to popular payment platforms.
One of the most concerning aspects of BTMOB is its "malware-as-a-service" (MaaS) model. As ESET researcher Daniel Cunha Barbosa noted, the RAT is sold with an APK builder interface. This user-friendly tool allows even less technically proficient individuals to generate new malicious payloads and customize phishing lures for specific regions rapidly, all without needing to write a single line of code. This "ready-made" toolkit significantly lowers the barrier to entry for aspiring cybercriminals, drastically reducing the time and effort required to orchestrate a full device compromise.
The primary infection vector for BTMOB relies heavily on social engineering. Victims are typically directed to bogus websites masquerading as legitimate streaming services or enticing cryptocurrency mining platforms. From these deceptive sites, users are further guided to fake Google Play Store app listings, tricked into downloading and installing a malicious Android package (APK) file containing the BTMOB malware. Once installed, the malware immediately requests extensive permissions, particularly the use of Android’s accessibility services. It then leverages these powerful services to grant itself additional, deeper system access without any further user interaction, effectively taking complete control of the device.
BTMOB is believed to be the successor in a lineage of Android malware families, including CraxsRAT, CypherRAT, and SpySolr, indicating a continuous evolution of tools and techniques from a consistent threat actor group. As of May 2026, the malware has reached version 4.5.5, with its developers claiming enhanced APK protection and compatibility with the latest Google Play updates. An X (formerly Twitter) profile, allegedly linked to the malware’s developers, posted on May 1, 2026, stating, "This update is all about speed and stability. We’ve expanded our infrastructure and refined the builder to keep you ahead of the latest mobile security patches." This public announcement underscores the developers’ active maintenance and continuous efforts to improve their product’s efficacy and evasion capabilities.
The Trojan is openly advertised and sold by a threat actor known as EVLF (@craxso), who has been unmasked in prior reports as a Syrian cybercriminal. The pricing model for BTMOB ranges from $700 per month for a subscription, with a lifetime license available for $1,200, as demonstrated in a YouTube video shared by the malware author on May 1, 2026. For those seeking complete autonomy and control, the entire server source code is offered for $7,000, enabling customers to host their own command-and-control (C2) panels on their private infrastructure.
Adding another layer of self-promotion and instruction, the X profile recently shared a link to a Medium article titled "The Silent Hijack: How BTMOB RAT is Turning Android Phones into Remote-Controlled Weapons." The article, which explicitly mentions BTMOB’s rapid evolution since early 2025, vividly describes its modus operandi: "It slips in through phishing sites, grabs accessibility services, and turns your phone into a puppet. Hackers watch your screen live. They steal banking details. They even mine crypto in the background while you scroll Instagram." Intriguingly, this article was published by an account named "CraxsRAT Main developer," whose bio boasts of being a "skilled and resourceful cybercriminal who built a profitable cybercrime enterprise by selling highly advanced RAT malware to other threat actors." This brazen self-promotion in public forums highlights the increasing commercialization and visibility of cybercrime tools.
The MaaS model of BTMOB significantly lowers the barrier to entry for less sophisticated threat actors, democratizing access to powerful cybercrime capabilities. This risk is further compounded by reports of leaked versions of BTMOB circulating on underground forums and Telegram channels. Such leaks inevitably increase the potential for widespread abuse, enabling copycats and other aspiring criminals to deploy the malware without having to purchase it directly from the original developer. ESET cautions that "Access rarely stays contained forever, and the tool can move into secondary markets through resale, barter, or sharing inside closed groups." Furthermore, competing malware families can swiftly adopt and integrate elements that simplify payload customization and campaign management for less skilled criminals, fostering an ecosystem of rapid iteration and imitation.
Italian cybersecurity firm D3Lab provided an insightful analysis of a leaked BTMOB RAT development toolkit in December 2025. Their findings revealed a comprehensive package that included the Android payload source code, its dropper, a builder environment, the operator panel for Windows, the C2 backend, and all necessary software dependencies to deploy the entire platform. D3Lab’s report underscored that "The BTMOB leak provides a rare perspective on the inner workings of a modern Android RAT-as-a-Service ecosystem. It demonstrates that the threat actor operates not merely as a developer selling a toolkit, but as a service provider enforcing licensing, authentication, and version control over their customers." This indicates a highly professionalized and organized approach to cybercrime, mirroring legitimate software businesses.
Broader Implications and Expert Warnings
The simultaneous targeting of Windows and Android devices with Grandoreiro and BTMOB, respectively, underscores a significant trend in the cybercrime landscape: the increasing sophistication and cross-platform capabilities of financially motivated threat groups. The convergence of advanced techniques such as DLL side-loading, the abuse of legitimate communication protocols (STUN/ICE), cloud service exploitation, sophisticated social engineering, and the proliferation of malware-as-a-service models creates a formidable challenge for cybersecurity professionals and end-users alike.
The fact that these campaigns target critical financial infrastructure and individual mobile users highlights the dual threat posed by these malware families. For organizations, Grandoreiro represents a direct assault on banking systems and corporate credentials, potentially leading to massive financial losses and reputational damage. The use of P2P and WebRTC communications makes detection particularly difficult, as the malicious traffic can blend seamlessly with legitimate network activity, evading traditional perimeter defenses.
For individuals, BTMOB poses an insidious threat to personal privacy and financial security. By gaining control over Android devices through accessibility services, threat actors can bypass multi-factor authentication, intercept sensitive communications, and directly manipulate banking applications. The MaaS model further democratizes these powerful tools, making it easier for a wider range of criminals to launch attacks, potentially leading to a surge in mobile banking fraud and identity theft.
Cybersecurity experts consistently emphasize the need for a multi-layered defense strategy. For organizations, this includes robust endpoint detection and response (EDR) solutions, advanced threat intelligence, regular security awareness training for employees (especially regarding phishing), and continuous monitoring of network traffic for anomalous patterns. Implementing application whitelisting and strict control over DLL loading can mitigate DLL side-loading attacks.
For individuals, vigilance is paramount. Users are urged to only download apps from official app stores like Google Play, carefully scrutinize app permissions, particularly those requesting accessibility services, and avoid clicking on suspicious links in emails or messages. Keeping operating systems and applications updated is also crucial, as updates often include patches for known vulnerabilities that malware exploits.
The battle against these evolving threats requires not only technological solutions but also enhanced international collaboration among law enforcement agencies, cybersecurity firms, and financial institutions. Sharing threat intelligence, coordinating enforcement actions, and educating the public are critical components in disrupting these persistent and adaptive cybercriminal operations. The continued evolution of malware like Grandoreiro and BTMOB serves as a stark reminder that the cybersecurity landscape is in a constant state of flux, demanding perpetual vigilance and adaptation from all stakeholders.
