Listen to this Post
Cybercriminal groups targeting the financial sector are rapidly evolving their attack strategies, and the latest campaigns involving the Grandoreiro banking trojan and the BTMOB Android RAT prove that banking malware is becoming smarter, stealthier, and far more commercialized. Security researchers from WatchGuard
and ESET
recently uncovered two major operations impacting users and organizations across Europe and Latin America, especially in Portugal, Spain, Mexico, and Brazil.
The attacks reveal how threat actors are now combining phishing, cloud hosting abuse, DLL side-loading, WebRTC communications, fake mobile applications, and malware-as-a-service ecosystems into one highly efficient cybercrime pipeline. The result is a dangerous wave of attacks capable of stealing banking credentials, remotely controlling smartphones, bypassing detection systems, and turning infected devices into long-term espionage tools.
Edit
Grandoreiro Banking Trojan Returns With Advanced Evasion Tactics
The Grandoreiro banking trojan has been active since 2016 and remains one of the most aggressive banking malware families targeting financial institutions worldwide. Researchers observed new campaigns specifically targeting Portuguese banks through sophisticated phishing operations and DLL side-loading techniques.
The malware is typically delivered through phishing emails containing malicious links or compressed files. Once victims interact with the content, the malware loads hidden malicious DLL files into legitimate software applications. This allows the malware to operate under the radar while bypassing traditional antivirus monitoring.
According to researchers, the latest Grandoreiro variants abuse four legitimate software applications to execute malicious DLLs developed using Delphi 11. Some of these DLL files, including mingwm10.dll and libwebp.dll, integrate sgcWebSockets technology to establish peer-to-peer communications using WebRTC and STUN protocols.
This is significant because WebRTC traffic blends naturally into common web conferencing activity, making malicious communications harder to detect. Threat actors benefit from hiding inside legitimate-looking traffic that organizations already trust.
Additional DLL files such as libffi-6.dll and libpng15.dll utilize ICE protocols to achieve similar communication goals. Embedded references within the malware directly mention several Portuguese financial institutions, including Abanca, Banco de Portugal, Caixa Geral Depositos, BBVA Portugal, Santander, Revolut, and Wise.
Researchers also identified another related campaign distributing malware through MediaFire-hosted ZIP archives. Victims receive phishing emails leading to obfuscated Visual Basic scripts that launch fake Adobe Reader update alerts. Once users click the update button, the malware initiates anti-analysis checks before deploying credential-stealing payloads.
Security experts warn that the bigger issue is not only Grandoreiro’s survival after law enforcement disruptions in 2024, but also the speed at which financially motivated groups adapt their infrastructure and delivery methods.
BTMOB Android RAT Emerges as a New Mobile Threat
While Grandoreiro continues targeting Windows systems, Android users are now facing a growing threat from BTMOB, a powerful remote access trojan first identified in February 2025.
The malware targets Brazilian users through fake streaming services, cryptocurrency mining websites, and counterfeit Google Play Store pages. Victims are tricked into downloading APK files that secretly contain the malware.
Once installed, BTMOB abuses Android accessibility services to silently grant itself elevated permissions. The malware can then unlock devices, capture screenshots, record keystrokes, inject phishing pages into banking applications, and remotely control infected smartphones.
One of the most alarming additions is support for stealing Alipay PIN codes, showing the malware’s expansion into international financial ecosystems.
Researchers believe BTMOB is the evolutionary successor to CraxsRAT, CypherRAT, and SpySolr malware families. The latest version, 4.5.5, reportedly includes stronger APK protection and compatibility with newer Android security updates.
The malware operates under a malware-as-a-service model. Threat actors can purchase monthly subscriptions for approximately $700 USD, while lifetime licenses cost around $1,200 USD. Full source code packages are reportedly being sold for nearly $7,000 USD, allowing criminals to host their own infrastructure independently.
Security analysts also discovered leaked versions of the toolkit circulating across underground forums and Telegram channels. This dramatically lowers the barrier for entry-level cybercriminals who previously lacked malware development skills.
Italian cybersecurity researchers from D3Lab analyzed a leaked development package and found it included Android payload source code, Windows operator panels, builder environments, command-and-control backends, and deployment dependencies.
This demonstrates that BTMOB is no longer just malware. It has evolved into a fully managed criminal platform with licensing systems, version control, authentication mechanisms, and customer support infrastructure for cybercriminals.
What Undercode Says:
Edit
Banking Malware Is Quietly Becoming an Enterprise Industry
The most dangerous aspect of these campaigns is not the malware itself. It is the industrialization of cybercrime behind the scenes.
Grandoreiro and BTMOB represent two sides of the same evolution. One focuses on desktop banking systems using stealth communication channels, while the other weaponizes Android accessibility services to hijack smartphones remotely. Together, they show how modern cybercrime groups are building scalable businesses instead of isolated attacks.
The use of WebRTC and STUN protocols inside Grandoreiro campaigns is particularly alarming. Traditionally, security teams focus heavily on suspicious outbound traffic, TOR communications, or known malicious IP addresses. But when malware starts using protocols normally associated with Zoom, Microsoft Teams, or browser-based conferencing applications, distinguishing malicious traffic from legitimate activity becomes extremely difficult.
This means organizations relying solely on perimeter defenses or traditional antivirus systems are already behind.
The phishing infrastructure itself is also evolving. Hosting malicious archives on trusted cloud platforms like MediaFire significantly improves delivery success rates because many companies whitelist such services automatically. Attackers understand enterprise trust relationships better than ever before.
Another major concern is the accessibility abuse inside Android malware campaigns. Accessibility permissions were originally designed to help users with disabilities navigate devices more efficiently. Threat actors are now weaponizing these features to automate fraud, intercept authentication codes, and bypass manual user interaction entirely.
This trend will likely intensify because accessibility abuse remains highly effective against mobile banking applications.
BTMOB’s malware-as-a-service structure also reflects a growing underground economy where malware developers no longer need to conduct attacks themselves. Instead, they lease infrastructure, builders, and support services to affiliates. This mirrors legitimate SaaS business models used in the corporate world.
The inclusion of APK builders is another critical shift. Low-skilled criminals can now generate region-specific malware payloads without understanding Android development or reverse engineering. That dramatically increases attack volume and geographic reach.
Leaked toolkits further amplify the problem. Once malware source code enters underground ecosystems, copycat groups rapidly modify and redistribute it. This creates dozens of derivative strains that overwhelm security vendors and complicate attribution efforts.
The psychological manipulation techniques used in both campaigns are equally important. Fake Adobe Reader updates, streaming services, crypto mining platforms, and counterfeit Play Store pages exploit urgency, convenience, and curiosity rather than technical vulnerabilities alone.
Cybercriminals understand human behavior better than many organizations understand their own users.
Another overlooked issue is the targeting expansion beyond traditional banking applications. Malware operators are increasingly targeting fintech services such as Wise, Revolut, cryptocurrency wallets, and digital payment systems. As users shift away from legacy banking infrastructure toward mobile-first financial ecosystems, attackers naturally follow the money.
There is also a geopolitical angle worth noting. Latin America continues to serve as a testing ground for banking malware innovation. Malware families developed in Brazil frequently evolve into global threats targeting Europe and North America later. The region has become a major incubator for financial cybercrime techniques.
Defenders should pay close attention to that pattern.
Organizations must begin monitoring abnormal WebRTC traffic, cloud-hosted phishing infrastructure, suspicious DLL side-loading behavior, and accessibility service abuse on Android devices. Endpoint detection alone is no longer sufficient.
Behavioral analytics and identity-based monitoring are becoming mandatory layers of defense.
The rise of mobile RAT ecosystems like BTMOB also suggests future ransomware groups may increasingly target smartphones directly rather than focusing exclusively on PCs and servers. Mobile devices now contain banking credentials, MFA tokens, authentication apps, cryptocurrency wallets, and corporate access portals all in one place.
That makes smartphones extremely valuable attack surfaces.
The commercialization of cybercrime is reaching a level where underground operators now advertise products, provide customer support, release version updates, and maintain subscription models similarly to legitimate software vendors.
That changes the threat landscape completely.
Deep analysis :
Detect suspicious DLL side-loading activity on Windows Get-WinEvent -LogName Security | findstr "DLL"
Monitor unusual WebRTC traffic netstat -ano | findstr ESTABLISHED
Identify Android accessibility abuse adb shell settings get secure enabled_accessibility_services
Check suspicious APK permissions aapt dump permissions suspicious.apk
Detect malicious PowerShell execution Get-EventLog -LogName WindowsPowerShell
Monitor outbound STUN traffic tcpdump -i eth0 port 3478
Search for MediaFire-related phishing downloads grep -Ri "mediafire" /var/log/
Scan running Delphi-based processes tasklist /m | findstr ".dll"
YARA example for banking trojan detection
rule Grandoreiro_Detection
{
strings:
$webRTC = "WebRTC"
$stun = "STUN"
$ice = "ICE"
condition:
any of them
}
Android malware traffic monitoring adb logcat | grep AccessibilityService 🔍 Fact Checker Results Edit
✅ Researchers from WatchGuard and ESET publicly documented both malware campaigns and linked them to banking credential theft operations.
✅ Grandoreiro continues operating despite prior law enforcement disruptions in Brazil during 2024, confirming the resilience of banking malware ecosystems.
❌ There is currently no public evidence showing BTMOB has reached mass global infection levels outside targeted regional campaigns, although its infrastructure is rapidly expanding.
📊 Prediction
Edit
🔮 Banking trojans will increasingly abuse legitimate communication protocols like WebRTC and encrypted conferencing traffic to evade enterprise monitoring systems.
🔮 Android malware-as-a-service platforms such as BTMOB are likely to expand into Europe and North America as leaked builders make customization easier for low-skilled cybercriminals.
🔮 Financial attacks targeting fintech platforms, digital wallets, and mobile payment ecosystems will grow faster than attacks against traditional banking portals over the next two years.
▶️ Related Video (86% Match):
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
