Remember when we all expected the next big cyber threat to be a tidal wave of AI-generated phishing or some never-before-seen zero-day exploit? Well, the reality, as it often is, is far more grounded and, frankly, more insidious.
We’re not talking about futuristic cyber warfare just yet. Instead, the focus is squarely on two old hands: Grandoreiro, a banking trojan that’s been around since 2016, and BTMOB, an Android remote access trojan (RAT) that’s only a few months old but packing serious punch. Both are now actively targeting users in Latin America and Europe, according to fresh reports from WatchGuard and ESET. This isn’t just a minor resurfacing; it signals a strategic evolution that’s making these threats far harder to catch.
Grandoreiro’s Sophisticated Resurgence
For Grandoreiro, this isn’t a ‘back from the dead’ story as much as it is a ‘continually evolving threat’ narrative. It’s been actively targeting banks across 45 countries, and despite efforts by Brazilian authorities to shut down its infrastructure earlier this year, it’s not only persisted but has doubled down. What’s new? The latest campaigns observed by WatchGuard are leaning heavily into DLL side-loading, a classic technique that’s been given a modern twist. They’re abusing legitimate software to load malicious DLLs developed in Delphi 11 – a language favored for malware targeting this particular region.
The real ingenuity here lies in how they’re masking their command and control (C2) traffic. Two of the DLLs, mingwm10.dll and libwebp.dll, are incorporating libraries like sgcWebSockets to use WebRTC and STUN protocols. Why is this a big deal? Because WebRTC traffic—the kind used for video conferencing and real-time communication—is notoriously noisy and difficult for security tools to scrutinize. It’s like hiding a whisper in a rock concert. The malware operators are essentially piggybacking on legitimate, often trusted, communication patterns.
“The bigger story here is not just that Grandoreiro is still active. It is that financially motivated threat groups continue to adapt quickly, reuse legitimate services, and hide inside traffic patterns that many organizations may already trust.”
Other DLLs, like libffi-6.dll and libpng15.dll, are using the ICE protocol instead of STUN, but the goal is the same: P2P and WebRTC communication. Crucially, these files are hardcoded with references to specific Portuguese banks and financial institutions like Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, and Santander, and even fintechs like Revolut and Wise. This precision targeting, combined with the sophisticated evasion techniques, makes Grandoreiro a serious threat to financial institutions in the region.
And it’s not just DLL side-loading. Another observed campaign uses phishing emails to deliver a ZIP archive from Mediafire. This archive contains an obfuscated Visual Basic Script that launches an executable. The user is then tricked into clicking a button to ‘update Adobe Reader’— a classic social engineering ploy. Post-click, the malware employs a series of anti-analysis tricks before deploying its payload to steal banking credentials and sensitive data. Some of these tactics mirror previously identified Grandoreiro campaigns, showing a continuous, iterative improvement cycle.
BTMOB: The All-in-One Android Toolkit
While Grandoreiro is refining its approach on Windows, ESET is shining a light on BTMOB, an Android RAT that’s making waves for its accessibility to aspiring cybercriminals. Emerging in February 2025, BTMOB isn’t just about stealing data; it offers a complete package for carrying out attacks. Its capabilities include unlocking devices, taking screenshots, logging keystrokes, and, critically, automating credential theft via HTML injection when specific apps are opened. Later versions even snagged Alipay PINs. That’s a nasty combo for anyone managing finances on their phone.
But the truly alarming aspect of BTMOB is how it’s being distributed. It’s sold with an APK builder interface. Think of it as a ‘malware-as-a-service’ for Android. This means that even individuals with minimal technical skills can generate new malicious app payloads, tailor them for specific regions, and craft convincing phishing lures – all without writing a single line of code. This dramatically lowers the barrier to entry for mobile malware operations.
The distribution vector relies on social engineering, luring victims to fake websites disguised as streaming services or crypto mining platforms. From there, users are directed to fake Google Play Store listings, duping them into installing an APK containing the BTMOB malware. Once on the device, BTMOB seeks permissions for Android’s accessibility services. This is a critical step because it allows the malware to grant itself further system access without requiring further user interaction. It’s a chillingly efficient way to gain deep control over a device.
ESET posits that BTMOB is likely the successor to other notable Android RATs like CraxsRAT, CypherRAT, and SpySolr. The latest version, 4.5.5, even claims enhanced APK protection. This suggests a rapid development cycle focused on improving stealth and resilience.
The Takeaway: It’s the Adaptation, Stupid
Look, these aren’t necessarily ‘new’ types of malware in the strictest sense. Grandoreiro has been around for years, and RATs on Android are hardly novel. What’s changing, and what’s truly concerning, is the sophistication of their adaptation and distribution. Threat actors are getting better at blending in, reusing legitimate services, and exploiting trusted communication channels. They’re making it incredibly difficult for even advanced security solutions to distinguish malicious activity from normal traffic.
For Grandoreiro, the embrace of WebRTC and P2P communication is a masterful piece of evasion. For BTMOB, the ‘malware-as-a-service’ builder democratizes advanced mobile attacks. The combined effect is that surface-level defenses are simply no longer sufficient. Organizations and individuals need to move beyond simple signature-based detection and embrace deeper, more behavioral, and context-aware security strategies. It’s no longer about finding the monster under the bed; it’s about recognizing when the entire house is designed to hide it.
🧬 Related Insights
- Read more: GitHub Breach: Malicious VS Code Extension Exposes 3,800 Repos
- Read more: Feds See ‘Anti-Tech Extremism’ Threat
Frequently Asked Questions
What is Grandoreiro malware?
Grandoreiro is a banking trojan that has been active since 2016. It’s designed to steal financial credentials from users across numerous countries and is known for its evolving tactics, including DLL side-loading and the use of WebRTC for obfuscated command and control communications.
How does BTMOB RAT spread?
BTMOB RAT primarily spreads through social engineering. Victims are lured to fake websites and then tricked into downloading malicious APK files from fake app stores. It also use Android’s accessibility services to gain deeper system access once installed.
Are these attacks new?
While the malware families themselves are not entirely new (Grandoreiro has been around since 2016, BTMOB since early 2025), the tactics being employed in their latest campaigns are highly sophisticated and represent significant evolution in evasion and distribution methods.
