{"id":257660,"date":"2026-05-28T07:25:00","date_gmt":"2026-05-28T11:25:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/28\/active-exploitation-alert-grandoreiro-banking-trojan-and-btmob-rat-targeting-windows-and-android-users-in-global-financial-malware-campaigns\/"},"modified":"2026-05-28T07:45:08","modified_gmt":"2026-05-28T11:45:08","slug":"active-exploitation-alert-grandoreiro-banking-trojan-and-btmob-rat-targeting-windows-and-android-users-in-global-financial-malware-campaigns","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/28\/active-exploitation-alert-grandoreiro-banking-trojan-and-btmob-rat-targeting-windows-and-android-users-in-global-financial-malware-campaigns\/","title":{"rendered":"Active Exploitation Alert: Grandoreiro Banking Trojan and BTMOB RAT Targeting Windows and Android Users in Global Financial Malware Campaigns"},"content":{"rendered":"

Active Exploitation Alert: Grandoreiro Banking Trojan and BTMOB RAT Targeting Windows and Android Users in Global Financial Malware Campaigns<\/a><\/p>\n

https:\/\/www.rescana.com\/post\/active-exploitation-alert-grandoreiro-banking-trojan-and-btmob-rat-targeting-windows-and-android-users-in-global-financi<\/a><\/p>\n

Publish Date: 2026-05-28 07:25:00<\/a><\/p>\n

Source Domain: www.rescana.com<\/a><\/p>\n

Executive Summary<\/strong><\/h2>\n

The cybersecurity landscape is witnessing a surge in sophisticated malware campaigns targeting both Windows and Android platforms, with the emergence of the Grandoreiro<\/strong>\u00a0banking trojan and the BTMOB RAT<\/strong>\u00a0remote access trojan. These threats are orchestrated by financially motivated actors leveraging advanced evasion techniques, social engineering, and malware-as-a-service (MaaS) models. The primary targets are financial institutions and their customers, particularly in Latin America and Europe, but the global risk is escalating due to the rapid proliferation and adaptability of these malware families. This advisory provides a comprehensive technical analysis, exploitation patterns, victimology, and actionable mitigation strategies to help organizations defend against these evolving threats.<\/p>\n

Threat Actor Profile<\/strong><\/h2>\n

The operators behind Grandoreiro<\/strong>\u00a0and BTMOB RAT<\/strong>\u00a0are primarily financially motivated cybercriminals, not directly attributed to any nation-state advanced persistent threat (APT) groups. Grandoreiro<\/strong>\u00a0is believed to be developed and maintained by Brazilian cybercrime syndicates, with infrastructure and campaigns traced back to Brazil, Spain, Portugal, and Mexico. Despite law enforcement actions in Brazil in early 2024, the threat actors have demonstrated resilience, rapidly reconstituting their infrastructure and expanding their targeting scope.<\/p>\n

BTMOB RAT<\/strong>\u00a0is distributed as a MaaS offering by the actor known as “EVLF” (alias @craxso), who markets the toolkit on underground forums and Telegram channels. The MaaS model has significantly lowered the barrier to entry, enabling less technically skilled actors to launch sophisticated Android attacks. The BTMOB ecosystem includes an APK builder, command-and-control (C2) backend, operator panel, and dropper, with leaked versions further amplifying its reach.<\/p>\n

Technical Analysis of Malware\/TTPs<\/strong><\/h2>\n

Grandoreiro (Windows Banking Trojan)<\/strong><\/h3>\n

Grandoreiro<\/strong>\u00a0is a Delphi-based banking trojan active since 2016, with a…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Active Exploitation Alert: Grandoreiro Banking Trojan and BTMOB RAT Targeting Windows and Android Users in…<\/p>\n","protected":false},"author":1,"featured_media":257661,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.rescana.com\/post\/img\/active-exploitation-alert-grandoreiro-banking-trojan-and-btmob-rat-targeting-windows-and-android-users-in-global-financi-cover.png","fifu_image_alt":"","footnotes":""},"categories":[46],"tags":[32,34],"class_list":["post-257660","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/257660"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=257660"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/257660\/revisions"}],"predecessor-version":[{"id":257662,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/257660\/revisions\/257662"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/257661"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=257660"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=257660"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=257660"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}