Recent investigations have uncovered two malware campaigns, Grandoreiro and BTMOB, that are actively targeting Windows and Android users, particularly in Spain, Portugal, Mexico, and Brazil. These campaigns are designed to compromise financial information and exploit vulnerabilities in user devices.
Overview of Grandoreiro Malware
The Grandoreiro malware campaign has been operational since 2016 and continues to evolve. It primarily targets banking institutions in Portugal and is known for its ability to steal credentials from thousands of financial organizations across 45 countries. According to WatchGuard researcher Euler Neto, the campaign employs a technique known as DLL Side-Loading, which abuses four different software components to execute malicious code.
Despite earlier efforts by Brazilian authorities to disrupt its infrastructure, Grandoreiro has expanded its reach and incorporated advanced features such as CAPTCHA checks to evade detection. The latest findings indicate that the malware uses DLLs developed in Delphi 11, specifically mingwm10.dll and libwebp.dll, to facilitate peer-to-peer communications through protocols like STUN and ICE.
Targeted Financial Institutions
The malware specifically references several banks operating in Portugal, including Abanca, Banco de Portugal, BBVA PT, Caixa Geral de Depósitos, and Santander. It also targets international services like Revolut and Wise. The campaign has been linked to phishing emails that deliver malicious ZIP files containing obfuscated Visual Basic scripts, which prompt users to update Adobe Reader, ultimately leading to the theft of sensitive banking information.
BTMOB RAT Capabilities
In parallel, the BTMOB campaign has emerged as a significant threat to Android users. First identified in February 2025, BTMOB is a remote access trojan (RAT) that allows attackers to unlock devices, capture screenshots, log keystrokes, and automate credential theft through HTML injections. The malware is marketed with an APK builder interface, enabling even less experienced criminals to create customized payloads without coding skills.
BTMOB spreads primarily through social engineering tactics, directing users to counterfeit websites that mimic legitimate streaming services or cryptocurrency platforms. Victims are then misled into downloading malicious APK files. Once installed, BTMOB exploits Android’s accessibility services to gain additional permissions without user consent.
Market Dynamics and Risks
The BTMOB malware is sold under a malware-as-a-service (MaaS) model, which lowers the barrier for entry for less skilled threat actors. Reports indicate that leaked versions of BTMOB are circulating on underground forums, raising concerns about potential misuse by aspiring cybercriminals. The malware’s developer, known as EVLF, promotes the service as a comprehensive tool for remote control of Android devices, further complicating the landscape of mobile security.
As of May 2026, the latest version of BTMOB is 4.5.5, which claims to enhance APK protection and compatibility with recent Google Play updates. The ongoing evolution of both Grandoreiro and BTMOB highlights the adaptive nature of financially motivated cyber threats, necessitating vigilant security measures from users and organizations alike.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
