Skip to main content
Emerging ThreatsMalware & Ransomware

Malware Campaigns Target Windows, Android Users in Global Finance Sector

Modern bank lobby with customer service desk and banking terminals.

"The bigger story here is not just that Grandoreiro is still active," WatchGuard said — and the evidence they and ESET published in May 2026 makes the point. Two separate campaigns, one aimed at Windows banking customers in Portugal, Spain and Mexico using Grandoreiro, the other at Android users in Brazil with a new BTMOB remote-access trojan, illustrate parallel evolutions: banking malware hiding in trusted traffic, and mobile RATs sold as turnkey services.

WatchGuard on Grandoreiro's renewed targeting and tactics

WatchGuard researchers report a campaign that uses DLL side-loading to launch Grandoreiro components built with Delphi 11. The campaign targets banks and financial services that operate in Portugal — files observed reference Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, and also target Revolut and Wise. Grandoreiro itself has been active since 2016 and "is an actively evolving banking malware" capable of stealing credentials associated with thousands of financial institutions across 45 countries and territories, WatchGuard said.

WatchGuard also identified phishing-delivered ZIP archives hosted on Mediafire that contain an obfuscated Visual Basic Script. The script launches an executable that displays a fake Adobe Reader update dialog; clicking the embedded button triggers anti-analysis checks before deploying the final payload to steal banking information. Some of these tactics overlap with a Grandoreiro campaign Kaspersky detailed in October 2024, WatchGuard noted.

DLL side-loading, WebRTC, STUN and ICE: hiding in conferencing traffic

The campaign leverages DLL side-loading and four different software libraries to load malicious DLLs. Two libraries observed — mingwm10.dll and libwebp.dll — incorporate sgcWebSockets, a WebSocket and real-time communication library, to enable peer-to-peer and WebRTC-style communications. WatchGuard explained the DLLs use the Session Traversal Utilities for NAT (STUN) protocol to help devices behind NAT discover public IP addresses and ports, enabling peer-to-peer communication.

Two other DLLs — libffi-6.dll and libpng15.dll — were observed using the Interactive Connectivity Establishment (ICE) protocol instead of STUN to reach the same objective. WatchGuard emphasized the tactical advantage for operators: web-conferencing traffic is "noisy, being difficult to monitor, and due to WebRTC being commonly used across all major web-conferencing platforms," making it a convenient carrier for malicious communications.

ESET on BTMOB: capabilities, distribution, and commercialization

ESET disclosed a separate campaign centered on BTMOB, an Android RAT first observed in February 2025. The malware can unlock devices, capture screenshots, log keystrokes, perform HTML-injection credential theft when certain apps are opened, and provide remote control. Later iterations added the ability to capture Alipay PINs. Distribution relies primarily on social engineering: victims are lured to bogus sites purporting to be streaming services or crypto-mining platforms, then steered to fake Google Play Store listings that prompt installation of an APK containing the RAT.

Once installed, BTMOB requests Android accessibility services permission and abuses that capability to grant itself further system access without additional user interaction. ESET identified the family as a likely successor to CraxsRAT, CypherRAT, and SpySolr. As of May 2026, the malware's reported latest version is 4.5.5, which claims enhanced APK protection and compatibility with recent Google Play updates.

BTMOB's MaaS model, pricing, and the leaked toolkit (D3Lab)

BTMOB is sold as malware-as-a-service with an APK builder that lets customers generate payloads and adapt phishing lures without writing code. An X profile allegedly linked to the author posted on May 1, 2026 about speed, stability, and infrastructure expansion. The RAT is advertised under the name EVLF (@craxso) at $700 per month; a YouTube video shared by the author on May 1, 2026 offered a lifetime license for $1,200, and the full server source code for $7,000 so buyers can self-host command-and-control (C2) panels.

Leaked versions are already circulating on underground forums and Telegram, ESET warned, and Italian cybersecurity company D3Lab reported in December 2025 that the leaked BTMOB toolkit included Android payload source code, a dropper, a builder environment, a Windows operator panel, the C2 backend, and all required dependencies. D3Lab concluded the leak shows the actor operates as a service provider enforcing licensing, authentication, and version control over customers.

What this means for technologists, enterprises, and end users

  • Technologists and security teams: WatchGuard's findings call for attention to DLL side-loading indicators, monitoring for unexpected WebRTC-like P2P traffic patterns (STUN/ICE usage), and scanning for obfuscated VBScript and Mediafire-hosted archives used to distribute payloads.
  • Affected enterprises and procurement leaders: Organizations that handle financial transactions — especially those named in the campaign's references — should review application whitelisting and DLL search order protections, and scrutinize supply-chain and cloud-hosted file-sharing use that attackers may reuse for delivery.
  • End users and the general public: ESET's analysis underscores the persistent risk from social-engineering chains that start at fake sites and fake app listings. Users should be wary of installing APKs from outside official stores and of granting Android accessibility services to untrusted apps; the BTMOB flow specifically uses accessibility permissions to escalate access without further interaction.

Grandoreiro's adaptation to hide inside web-conferencing-style traffic and BTMOB's commercialized, rapidly evolving builder ecosystem make a clear pair: one campaign seeks to mask data exfiltration inside noisy, trusted protocols; the other lowers the barrier for mass compromise by turning a full-featured Android RAT into a product. WatchGuard's and ESET's reporting together leaves a pointed, verifiable question: as attackers blend into ubiquitous traffic and sell turnkey tools to a wider pool of buyers, which detection strategies will defenders prioritize to spot those two very different — but mutually reinforcing — threats?

Original reporting