Two major banking trojan campaigns affecting users in Latin America and Europe are targeting Windows and Android devices, deploying the Grandoreiro and BTMOB malware families respectively.
This comes from recent updates by WatchGuard and ESET, who have identified these two malware variants going after businesses in countries including Spain, Portugal, and Mexico, as well as mobile users in Brazil.
According to Euler Neto, a researcher at WatchGuard, the Grandoreiro campaign “employs the DLL Side-Loading technique across four different software applications, focusing on banks located in Portugal.”
Grandoreiro has been in operation since 2016 and continues to evolve as a banking trojan capable of stealing credentials from thousands of financial institutions spanning 45 countries and territories. It commonly spreads through phishing emails, urging victims to click on suspicious links.
Despite law enforcement efforts by Brazilian authorities in early 2024 to dismantle portions of its network and some arrests, the malware has only grown its reach further, adding CAPTCHA mechanisms to fight automated analysis.
WatchGuard’s analysis of recent campaigns shows DLL side-loading is used to load DLLs written in Delphi 11, a language often popular among cybercriminals in the region. Among the analyzed DLLs, mingwm10.dll and libwebp.dll integrate sgcWebSockets, a WebSocket and real-time communication library, enabling peer-to-peer (P2P) and WebRTC communication channels.
“The compromised DLLs leverage the Session Traversal Utilities for NAT (STUN) protocol, which allows devices behind NAT to discover their public-facing IP address and port, making direct peer-to-peer connections possible,” WatchGuard explained.
“The reason attackers favor web conferencing traffic in these operations is that such traffic is typically noisy, hard to monitor closely, and WebRTC is widely supported across platforms used for web conferencing.”
Additionally, two more DLLs tied to the campaign—libffi-6.dll and libpng15.dll—use the Interactive Connectivity Establishment (ICE) protocol instead of STUN to accomplish similar aims. These particular files specifically target banks and financial institutions operating in Portugal, among them Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depósitos, and Santander. Also in the crosshairs are Revolut and Wise.
WatchGuard also uncovered an additional campaign relying on phishing emails to deliver a ZIP file hosted on Mediafire. Inside this archive sits an obfuscated Visual Basic Script that kicks off an executable, which presents a pop-up message instructing the user to update Adobe Reader through a button embedded in the alert.
Clicking the button starts a chain of checks designed to prevent detection and hinder researchers from analyzing the malware, all before it ultimately steals banking credentials and other sensitive details. Several observed tactics overlap with a previous Grandoreiro campaign Kaspersky outlined in October 2024.
“What matters most isn’t just that Grandoreiro remains operational,” WatchGuard noted. “It’s that profit-driven cybercriminals are rapidly adapting, hijacking legitimate services, and blending their activity into traffic that organizations may already consider trustworthy.”
“By layering phishing, DLL side-loading, WebRTC-based components, abuse of cloud services, and evasion checks, these campaigns demonstrate how banking malware is becoming far harder to catch relying solely on basic security defenses.”
BTMOB Offers Ready-Made Campaign Tools
At the same time, ESET released a report on BTMOB, an Android remote access trojan (RAT) that first appeared in February 2025. Its features include unlocking devices, taking screenshots, recording keystrokes, carrying out automated credential theft via HTML injections when specific apps are launched, and providing remote control. A later update added the ability to capture Alipay PIN codes.
“The RAT is distributed with an APK builder interface, which lets anyone quickly create customized payloads and tailor phishing lures for specific regions—with zero coding skills necessary,” said Daniel Cunha Barbosa, a researcher at ESET.
These off-the-shelf tools drastically cut down the time and effort required for attackers to fully compromise devices. The main infection vector is social engineering, where victims are sent links to counterfeit websites pretending to be streaming platforms or cryptocurrency mining services.
From these pages, users are rerouted to fake Google Play Store listings that fool them into downloading an Android package (APK) file packed with the malware. Once on the device, the malware requests permissions to access Android’s accessibility services, then silently uses it to grant itself broader system access without requiring user interaction.
BTMOB is widely considered the successor to the CraxsRAT, CypherRAT, and SpySolr families. As of May 2026, the newest version is 4.5.5, promising improved APK protection and compatibility with the latest versions of Google Play.
“This release is all about speed and reliability,” wrote an X profile supposedly linked to the malware author on May 1, 2026. “We’ve scaled up our infrastructure and fine-tuned the builder so you stay ahead of the newest mobile security patches.”
The trojan is promoted by a threat actor known as EVLF (@craxso) at a subscription cost of $700 per month. A YouTube video shared by the developer on May 1, 2026, listed a lifetime license price of $1,200. For $7,000, buyers can obtain the full server source code, enabling them to host the command-and-control (C2) panels on their own servers.
As recently as this week, the X account also posted a link to a Medium article describing “how BTMOB RAT is turning Android phones into remote-controlled weapons,” noting it has been “evolving rapidly” since early 2025.
“It sneaks in through phishing websites, seizes accessibility services, and turns your phone into a puppet,” the article stated. “Hackers can watch your screen in real time, swipe banking data, and even mine cryptocurrency in the background while you’re scrolling through Instagram.”
Notably, the Medium article was published by an account calling itself “CraxsRAT Main developer.” The account’s bio presents its owner as a “skilled and resourceful cybercriminal who built a profitable cybercrime business by selling highly advanced RAT malware to other threat actors.”
The fact that BTMOB is sold under a malware-as-a-service (MaaS) model lowers the barrier to entry for less experienced cybercriminals. Concerns are amplified by reports that leaked versions are already spreading across underground forums and Telegram groups, raising the risk of misuse by copycats and aspiring cybercriminals.
“Access rarely stays controlled for long, and the tool can circulate into secondary markets through resale, trade, or sharing within private groups,” ESET explained. “Other competing malware families may also replicate elements that simplify payload customization and campaign management for less skilled attackers.”
In December 2025, Italian cybersecurity firm D3Lab published an analysis of the leaked BTMOB RAT development toolkit, revealing that it contained the Android payload source code, its dropper, a builder environment, a Windows operator panel, the C2 backend, and all software dependencies essential for deploying the entire platform.
“The BTMOB leak offers a rare window into the operations of a modern Android RAT-as-a-Service ecosystem,” D3Lab stated. “It shows that the threat actor operates not just as a developer selling a toolkit, but as a full-fledged service provider managing licensing, authentication, and version control for their clients.”
