Active Exploitation Alert: Grandoreiro Banking Trojan and BTMOB RAT Targeting Windows and Android Users in Global Financial Malware Campaigns
Publish Date: 2026-05-28 07:25:00
Source Domain: www.rescana.com
Executive Summary
The cybersecurity landscape is witnessing a surge in sophisticated malware campaigns targeting both Windows and Android platforms, with the emergence of the Grandoreiro banking trojan and the BTMOB RAT remote access trojan. These threats are orchestrated by financially motivated actors leveraging advanced evasion techniques, social engineering, and malware-as-a-service (MaaS) models. The primary targets are financial institutions and their customers, particularly in Latin America and Europe, but the global risk is escalating due to the rapid proliferation and adaptability of these malware families. This advisory provides a comprehensive technical analysis, exploitation patterns, victimology, and actionable mitigation strategies to help organizations defend against these evolving threats.
Threat Actor Profile
The operators behind Grandoreiro and BTMOB RAT are primarily financially motivated cybercriminals, not directly attributed to any nation-state advanced persistent threat (APT) groups. Grandoreiro is believed to be developed and maintained by Brazilian cybercrime syndicates, with infrastructure and campaigns traced back to Brazil, Spain, Portugal, and Mexico. Despite law enforcement actions in Brazil in early 2024, the threat actors have demonstrated resilience, rapidly reconstituting their infrastructure and expanding their targeting scope.
BTMOB RAT is distributed as a MaaS offering by the actor known as “EVLF” (alias @craxso), who markets the toolkit on underground forums and Telegram channels. The MaaS model has significantly lowered the barrier to entry, enabling less technically skilled actors to launch sophisticated Android attacks. The BTMOB ecosystem includes an APK builder, command-and-control (C2) backend, operator panel, and dropper, with leaked versions further amplifying its reach.
Technical Analysis of Malware/TTPs
Grandoreiro (Windows Banking Trojan)
Grandoreiro is a Delphi-based banking trojan active since 2016, with a…
