Two parallel banking Trojan campaigns — Grandoreiro for Windows and BTMOB RAT for Android — are actively targeting financial organizations and users in Portugal, Spain, Mexico and Brazil. According to researchers at WatchGuard and ESET, both malware families are showing significant evolution: Grandoreiro disguises its traffic as legitimate video conferences over WebRTC, while BTMOB has turned into a full-fledged “malware-as-a-service” platform with a no-code payload builder.
Grandoreiro: DLL side-loading and masquerading as video conferences
Grandoreiro is a banking Trojan active since 2016 and, according to researchers, capable of stealing credentials for thousands of financial institutions in 45 countries. Despite arrests and attempts by Brazilian authorities to dismantle its infrastructure in early 2024, the malware continues to expand its geographical footprint and improve its anti-analysis mechanisms, including CAPTCHA checks.
The key technical feature of the new campaign is the use of DLL side-loading to launch malicious libraries developed in Delphi 11. WatchGuard identified four DLL files with different functionality:
- mingwm10.dll and libwebp.dll — include the sgcWebSockets library and use the STUN (Session Traversal Utilities for NAT) protocol to detect the public IP address and port of a device behind NAT, enabling peer-to-peer communication via WebRTC;
- libffi-6.dll and libpng15.dll — use the ICE (Interactive Connectivity Establishment) protocol for similar purposes and contain direct references to Portuguese financial institutions.
The campaign’s targets include Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, as well as fintech services Revolut and Wise.
Why WebRTC is an effective channel for attackers
The choice of WebRTC as a communication channel is not accidental but a deliberate tactical decision. Video conferencing traffic is inherently “noisy,” difficult to monitor, and WebRTC is widely used by major video communication platforms. This means many organizations’ network defenses already trust such traffic and do not subject it to deep inspection. In effect, the attackers hide the Trojan’s command-and-control communications inside a data stream that most corporate firewalls allow through without additional checks.
Second wave: phishing via Mediafire
WatchGuard also recorded a parallel campaign in which phishing emails deliver a ZIP archive hosted on the Mediafire platform. The archive contains an obfuscated Visual Basic script that launches an executable with a fake Adobe Reader update notification. When the user clicks the “update” button, a series of checks is performed to evade analysis, after which the final payload for stealing banking data is downloaded. Some of the tactics reportedly overlap with the Grandoreiro campaign described by Kaspersky in October 2024.
BTMOB RAT: Android Trojan with a business model
BTMOB is a remote access Trojan (RAT) for Android first detected, according to ESET, in February 2025. Its capabilities include unlocking devices, capturing screenshots, intercepting keystrokes, automated credential theft via HTML injections when certain applications are opened, and full remote control. A subsequent iteration, according to Zimperium, added the ability to intercept Alipay PIN codes.
It is distributed via social engineering: victims are sent links to fake websites imitating streaming services or cryptocurrency mining platforms. From there, users are redirected to counterfeit Google Play Store pages where they install a malicious APK file. After installation, the Trojan requests access to Android Accessibility Services and uses them to obtain additional system privileges without further user interaction.
“Malware-as-a-service” model
What fundamentally sets BTMOB apart from many counterparts is its mature commercial model. The Trojan is sold with an APK builder interface that allows buyers to generate new payloads and adapt phishing lures for specific regions without writing code. According to its promotional materials (which should be treated with caution, since they come from the operators themselves), a subscription costs $700 per month, a lifetime license is $1,200, and the full source code of the server-side component is $7,000, allowing buyers to deploy their own command infrastructure.
The situation is exacerbated by a leak of the BTMOB development toolkit. According to the Italian company D3Lab, which analyzed the leak in December 2025, the package included the Android payload source code, a dropper, the builder environment, an operator panel for Windows, the server-side command component, and all required dependencies. D3Lab noted that the BTMOB operator acts not just as a developer, but as a service provider with licensing, authentication and version control. Leaked versions, ESET reports, are already circulating on underground forums and in Telegram, significantly widening the pool of potential attackers.
Impact assessment
Both campaigns pose a high risk to the financial sector of the Iberian Peninsula and Latin America. Grandoreiro threatens corporate Windows users working with online banking services of Portuguese and Spanish institutions, as well as international fintech platforms. BTMOB primarily targets individual Android users in Brazil, but the MaaS model and toolkit leak make geographical expansion virtually inevitable.
Particularly dangerous is the combination of techniques in the Grandoreiro campaign: phishing, DLL side-loading, abuse of legitimate protocols (WebRTC, STUN, ICE), use of cloud services for hosting, and multi-layered anti-analysis checks. This combination makes detection extremely difficult when relying only on superficial protection measures.
Protection recommendations
Against Grandoreiro:
- Configure deep inspection of WebRTC traffic at the network perimeter, especially for connections initiated not from browsers or known video conferencing applications;
- Implement monitoring for DLL side-loading: track DLL loading from non-standard directories by legitimate applications;
- Block or restrict access to file-sharing platforms (Mediafire and similar) at the corporate level;
- Train employees to recognize phishing emails themed around Adobe Reader updates and similar software;
- Add the following filenames to monitoring: mingwm10.dll, libwebp.dll, libffi-6.dll, libpng15.dll — if detected in atypical locations, initiate an investigation.
Against BTMOB:
- Disallow installation of APKs from third-party sources on corporate mobile devices via MDM policies;
- Audit applications with access to Android Accessibility Services — any unknown app with such privileges should be treated as suspicious;
- Educate users about distribution schemes involving fake streaming services and cryptocurrency platforms.
Both campaigns illustrate the same trend: financially motivated groups are increasingly disguising malicious activity as legitimate traffic and lowering the barrier to entry for less skilled operators through ready-made tools. Organizations in the affected regions should immediately review their network policies for WebRTC traffic inspection and audit employees’ mobile devices for applications with excessive Accessibility Services privileges.
