Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users

Severity
Medium

Detail

Cybersecurity researchers have uncovered two major malware campaigns targeting both Windows and Android users across Latin America and Europe. The campaigns involve the banking trojan Grandoreiro and the Android RAT malware BTMOB, both designed to steal financial data, credentials, and gain remote control over infected devices.

The Grandoreiro campaign primarily targeted banks and financial institutions in Portugal, Spain, and Mexico. Attackers used phishing emails containing malicious links or ZIP archives to trick victims into downloading malware. The campaign abused DLL side-loading techniques by using legitimate software to load malicious DLL files without raising suspicion. Some malware components also used WebRTC and STUN/ICE protocols to blend malicious communications with legitimate web conferencing traffic, making detection more difficult.

Researchers identified references to several Portuguese financial institutions, including Banco de Portugal, Santander, Caixa Geral Depositos, BBVA PT, Revolut, and Wise. The malware was also equipped with anti-analysis techniques and CAPTCHA checks to evade security tools and researchers.

At the same time, ESET researchers revealed details about BTMOB, an Android Remote Access Trojan (RAT) first identified in early 2025. The malware targeted Android users in Brazil and was distributed through fake websites pretending to offer streaming services or cryptocurrency mining applications. Victims were redirected to fake Google Play pages and tricked into installing malicious APK files.

Once installed, BTMOB abuses Android accessibility services to silently grant itself elevated permissions. The malware can unlock devices, capture screenshots, log keystrokes, steal banking credentials using fake overlays, monitor user activity, remotely control the device, and even capture Alipay PINs. Researchers also discovered that BTMOB is sold under a Malware-as-a-Service (MaaS) model, allowing cybercriminals to purchase access to the toolkit, APK builders, and command-and-control infrastructure.

How?

Grandoreiro Infection Chain

1. Victims receive phishing emails containing malicious links or attachments.
2. Downloaded ZIP files contain obfuscated scripts or executables disguised as legitimate files.
3. Malware uses DLL side-loading to execute malicious DLLs through trusted applications.
4. The malware establishes communication channels using WebRTC, STUN, or ICE protocols to avoid detection.
5. Grandoreiro performs anti-analysis checks before activating.
6. Once active, it steals banking credentials and sensitive financial information from targeted users.

BTMOB Infection Chain

1. Users visit fake websites impersonating streaming or crypto services.
2. Victims are redirected to fake Google Play pages.
3. A malicious APK containing BTMOB is downloaded and installed.
4. The malware requests Android accessibility permissions.
5. Accessibility abuse grants the malware extensive system control.
6. Attackers remotely monitor the device, steal credentials, intercept banking sessions, capture screenshots, and perform fraudulent activities.

Conclusion

The Grandoreiro and BTMOB campaigns demonstrate how financially motivated threat actors continue evolving their tactics to bypass traditional security defenses. By abusing trusted services, legitimate traffic protocols, accessibility features, and Malware-as-a-Service distribution models, these malware families significantly lower the barrier for cybercriminal activity.

The campaigns also highlight the growing convergence of phishing, stealth techniques, and remote access capabilities across both desktop and mobile platforms. Organizations and users should strengthen phishing awareness, monitor unusual network activity, restrict unnecessary permissions, and implement advanced behavioral security controls to reduce the risk of compromise.

Source

https://thehackernews.com/2026/05/grandoreiro-malware-and-btmob-rat.html