Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively.
That’s according to new findings from WatchGuard and ESET, which have observed the two malware families being used to single out companies in Spain, Portugal, and Mexico, as well as mobile users in Brazil.
The Grandoreiro campaign “uses the DLL Side-Loading technique abusing four different software, targeting banks in Portugal,” WatchGuard researcher Euler Neto said.
Active since 2016, Grandoreiro is an actively evolving banking malware that’s capable of stealing credentials associated with thousands of financial institutions across 45 countries and territories. It’s typically distributed via phishing emails, instructing recipients to click on sketchy links.
Despite some arrests and attempts by Brazilian authorities to dismantle its infrastructure in early 2024, the malware has continued to expand its targeting footprint, while incorporating CAPTCHA checks to resist analysis.
The latest campaign flagged by WatchGuard has been found to leverage DLL side-loading to launch DLLs that are developed in Delphi 11, a programming language commonly used for malware targeting the region. Two of the DLLs – mingwm10.dll and libwebp.dll – have been found to incorporate sgcWebSockets, a WebSocket and real-time communication library, for peer-to-peer (P2P) and WebRTC communications.
“The DLLs associated with this case use the Session Traversal Utilities for NAT (STUN) protocol, which is a protocol that helps devices behind a NAT discover their public IP address and port number, enabling peer-to-peer communication,” WatchGuard explained.
“The advantage for threat actors to use web conferencing traffic in their campaigns is due to this traffic being noisy, being difficult to monitor, and due to WebRTC being commonly used across all major web-conferencing platforms.”
Two other DLLs associated with the campaign are libffi-6.dll and libpng15.dll, which make use of the Interactive Connectivity Establishment (ICE) protocol instead of STUN to achieve the same goal. These files specifically reference banks and financial institutions that operate in Portugal, such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, and Santander, among others. Also targeted are Revolut and Wise.
WatchGuard also said it identified another campaign in which phishing emails are used to deliver a ZIP archive hosted on Mediafire. The file contains an obfuscated Visual Basic Script that’s responsible for launching an executable, which displays a message asking users to update Adobe Reader by clicking on a button embedded in the alert.
Doing so triggers a series of checks aimed at avoiding detection and complicating malware analysis, before launching the final payload to steal banking information and sensitive data. Some of the tactics overlap with a prior Grandoreiro campaign detailed by Kaspersky in October 2024.
“The bigger story here is not just that Grandoreiro is still active,” WatchGuard said. “It is that financially motivated threat groups continue to adapt quickly, reuse legitimate services, and hide inside traffic patterns that many organizations may already trust.”
“By combining phishing, DLL side-loading, WebRTC-related components, cloud service abuse, and anti-analysis checks, these campaigns show how banking malware is becoming harder to spot with surface-level defenses alone.”
BTMOB Offers Ready-Made Campaign Tools
The disclosure coincides with a report from ESET about BTMOB, an Android remote access trojan (RAT) that first emerged in February 2025 with capabilities to unlock devices, capture screenshots, log keystrokes, automate credential theft through HTML injections when certain apps are opened, and enable remote control. A subsequent iteration introduced the ability to capture Alipay PINs.
“The RAT is also sold with an APK builder interface, allowing anyone to generate new payloads and adapt phishing lures for specific regions at a rapid clip – and without writing any code,” ESET researcher Daniel Cunha Barbosa said.
These ready-made tools further bring down the time and effort required to conduct a full device compromise. The primary method through which the malware spreads is via social engineering, where users are sent links to bogus websites masquerading as streaming services or cryptocurrency mining platforms.
From those sites, victims are directed to fake Google Play Store app listings that trick them into installing an Android package (APK) file containing the malware. Once installed, the malware seeks permissions to use Android’s accessibility services and then leverages it to grant itself additional system access without any user interaction.
BTMOB is believed to be the successor to CraxsRAT, CypherRAT, and SpySolr families. As of May 2026, the latest version of the malware is 4.5.5, claiming to offer enhanced APK protection and compatibility with the latest Google Play updates.
“This update is all about speed and stability,” an X profile allegedly linked to the malware posted on May 1, 2026. “We’ve expanded our infrastructure and refined the builder to keep you ahead of the latest mobile security patches.”
The Trojan is advertised by a threat actor named EVLF (@craxso) for a price tag of $700 per month. According to a YouTube video shared by the malware author on May 1, 2026, a lifetime license is worth $1,200. The complete server source code is available for $7,000, allowing customers to host the command-and-control (C2) panels on their own infrastructure.
As recently as this week, the X profile also shared a link to a Medium article about “how BTMOB RAT is turning Android phones into remote-controlled weapons,” and has been “evolving fast” since early 2025.
“It slips in through phishing sites, grabs accessibility services, and turns your phone into a puppet,” the article reads. “Hackers watch your screen live. They steal banking details. They even mine crypto in the background while you scroll Instagram.”
Interestingly, the article was published by an account named “CraxsRAT Main developer.” The account’s bio claims they are a “skilled and resourceful cybercriminal who built a profitable cybercrime enterprise by selling highly advanced RAT malware to other threat actors.”
The fact that BTMOB is sold under a malware-as-a-service (MaaS) model risks lowering the barrier to entry for less sophisticated threat actors. This is compounded by reports that leaked versions are already circulating on underground forums and Telegram, increasing the risk of abuse through copycats and other aspiring criminals.
“Access rarely stays contained forever, and the tool can move into secondary markets through resale, barter, or sharing inside closed groups,” ESET said. “Competing malware families can also copy some elements that make payload customization and campaign management easier for less skilled criminals.”
Italian cybersecurity company D3Lab, in an analysis of the leaked BTMOB RAT development toolkit published in December 2025, said it included the Android payload source code, its dropper, a builder environment, the operator panel for Windows, the C2 backend, and all the software dependencies required to deploy the platform.
“The BTMOB leak provides a rare perspective on the inner workings of a modern Android RAT-as-a-Service ecosystem,” D3Lab noted at the time. “It demonstrates that the threat actor operates not merely as a developer selling a toolkit, but as a service provider enforcing licensing, authentication, and version control over their customers.”
