Latin America and Europe have become the targets of two banking Trojan campaigns designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively.
This is according to new findings from WatchGuard and ESET, which saw two malware families being used to impersonate companies in Spain, Portugal and Mexico, as well as mobile users in Brazil.
The Grandoreiro campaign “uses a DLL side-loading technique, abusing four different software, targeting banks in Portugal,” said WatchGuard researcher Euler Neto.
Active since 2016, Grandoreiro is an actively evolving banking malware capable of stealing credentials associated with thousands of financial institutions in 45 countries and territories. It is typically distributed via phishing email, instructing recipients to click on sketchy links.
Despite some arrests and efforts by Brazilian authorities to dismantle its infrastructure in early 2024, the malware has continued to expand its target footprint, incorporating CAPTCHA checks to resist analysis.
The latest campaign identified by WatchGuard takes advantage of DLL side-loading to launch a DLL developed in Delphi 11, a programming language commonly used for malware targeting the sector. Two DLLs – mingwm10.dll and libwebp.dll – were found to contain sgcWebSockets, a WebSocket and real-time communications library for peer-to-peer (P2P) and WebRTC communications.
“The DLLs associated with this issue use the Session Traversal Utilities for NAT (STUN) protocol, which is a protocol that helps devices behind NAT discover their public IP address and port number, enabling peer-to-peer communication,” WatchGuard reported.
“The advantages for threat actors in using web conferencing traffic in their campaigns are due to this traffic being noisy, difficult to monitor, and WebRTC being commonly used on all major web-conferencing platforms.”
Two other DLLs associated with the campaign are libffi-6.dll and libpng15.dll, which use the Interactive Connectivity Establishment (ICE) protocol instead of STUN to achieve the same goal. These files refer specifically to banks and financial institutions that operate in Portugal, such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos and Santander, among others. Revolut and Wise are also targeted.
WatchGuard also said it has identified another campaign that uses phishing emails to distribute ZIP archives hosted on MediaFire. The file contains an obscure Visual Basic script that is responsible for launching an executable, which displays a message asking users to update Adobe Reader by clicking the button embedded in the alert.
Doing so triggers a series of checks aimed at detecting and complicating malware analysis, before launching the final payload to steal banking information and sensitive data. Some of the strategies match the Grandoreiro campaign detailed by Kaspersky in October 2024.
“The big story here is not just that Grandoreiro is still active,” Watchguard said. “This is how financially motivated threat groups continue to rapidly adapt, reuse legitimate services, and hide inside traffic patterns that many organizations can already rely on.”
“Combining phishing, DLL side-loading, WebRTC-related components, cloud service abuse, and anti-analysis checks, these campaigns show how banking malware is becoming increasingly difficult to detect with surface-level protection alone.”
BTMob provides readymade campaign tools
The disclosure matches a report from ESET about BTMOB, an Android remote access trojan (RAT) that first surfaced in February 2025 with capabilities to unlock devices, capture screenshots, log keystrokes, automate credential theft through HTML injection when certain apps are opened, and enable remote control. A later iteration introduced the ability to capture Alipay PINs.
“RAT is also sold with an APK builder interface, which allows anyone to generate new payloads and customize phishing lures for specific regions quickly and without writing any code,” said ESET researcher Daniel Cunha Barbosa.
These off-the-shelf tools reduce the time and effort required to perform a full device compromise. The primary way malware spreads is social engineering, where users are sent links to fake websites masquerading as streaming services or cryptocurrency mining platforms.
From those sites, victims are directed to fake Google Play Store app listings that prompt them to install an Android package (APK) file containing the malware. Once installed, the malware asks for permission to use Android’s accessibility services and then leverages this to grant itself additional system access without any user interaction.
BTMOB is considered the successor to the CraxsRAT, CypherRAT and SpySolr families. As of May 2026, the latest version of the malware is 4.5.5, which claims to offer enhanced APK protection and compatibility with the latest Google Play updates.
“This update is all about speed and stability,” an “We’ve expanded our infrastructure and refined the builder to keep you ahead of the latest mobile security patches.”
The Trojan is advertised by a threat actor named EVLF (@craxso) at a price of $700 per month. According to a YouTube video shared by the malware author on May 1, 2026, the lifetime license costs $1,200. The complete server source code is available for $7,000, allowing customers to host the command-and-control (C2) panel on their own infrastructure.
As recently as this week,
“It enters via phishing sites, hijacks access services and turns your phone into a puppet,” the article reads. “Hackers watch your screen live. They steal banking details. They even mine crypto in the background while you scroll through Instagram.”
Interestingly, this article was published by an account named “CraxsRAT Main Developer”. The account biography claims they are “skilled and resourceful cybercriminals who have built a profitable cybercriminal enterprise by selling highly advanced RAT malware to other threat actors.”
The fact that BTMob is sold under a Malware-as-a-Service (MaaS) model lowers the barrier to entry for less sophisticated threat actors. This is further complicated by reports that leaked versions are already circulating on underground forums and Telegram, increasing the risk of misuse through copycats and other ambitious criminals.
“Access rarely remains limited forever, and equipment may move to secondary markets through resale, barter, or sharing within closed groups,” ESET said. “Competing malware families may also copy certain elements that make payload optimization and campaign management easier for less skilled criminals.”
Italian cybersecurity company D3Lab, in an analysis of the leaked BTMob RAT development toolkit published in December 2025, said it includes the Android payload source code, its dropper, a builder environment, operator panel for Windows, the C2 backend, and all the software dependencies needed to deploy the platform.
D3Lab noted at the time, “The BTMOB leak provides a rare perspective on the inner workings of a modern Android RAT-as-a-Service ecosystem.” “This shows that the threat actor acts not only as a developer selling a toolkit, but also as a service provider enforcing licensing, authentication, and version control on its customers.”
