Grandoreiro Banking Trojan Expands Global Reach with New Campaigns

Severity: High (Score: 69.5)

Sources: www.ibm.com, securelist.com, Rescana, Cybersecuritynews

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: grandoreiro, banking, trojan, analysis, malware, campaigns, x-force

Severity indicators: rce, malware, trojan, banking

Summary

The Grandoreiro banking trojan, active since 2016, has intensified its phishing campaigns targeting over 1,700 banks and financial institutions across 60 countries, including recent operations in South Africa and Europe. Initially focused on Latin America, it now employs advanced techniques like domain generation algorithms (DGA) and phishing emails impersonating government entities. The malware is distributed via malicious links and ZIP files, often disguised as legitimate documents. Despite law enforcement actions against its operators, the trojan continues to evolve, indicating a resilient cybercrime syndicate. The latest campaigns have resulted in significant financial losses, with estimates of 3.5 million euros in Spain alone. Security experts warn of the trojan's adaptability and the growing risk it poses to global financial systems. Key Points: • Grandoreiro targets over 1,700 banks in 60 countries, expanding its global footprint. • Recent campaigns include phishing emails impersonating government agencies in Mexico and South Africa. • The malware employs advanced evasion techniques, making detection challenging for security solutions.

Detailed Analysis

**Impact** Grandoreiro targets over 1,500 banks globally, affecting financial institutions and their customers across Latin America, Europe, Africa, and the Indo-Pacific, including Mexico, Argentina, South Africa, Spain, Portugal, and Japan. The trojan has caused estimated fraudulent profits of at least €3.5 million in Spain alone, with potential losses exceeding €110 million. The campaigns also target 276 cryptocurrency wallets, expanding the scope beyond traditional banking sectors. The malware’s expansion into new regions and sectors increases the risk of widespread financial fraud and operational disruption. **Technical Details** Infection begins with phishing emails impersonating tax and financial authorities, delivering ZIP archives containing obfuscated loaders and executables disguised as PDFs or Adobe Reader updates. Grandoreiro uses DLL side-loading, multiple domain generation algorithms (DGAs), ciphertext stealing encryption, and mouse behavior tracking to evade detection and bypass anti-fraud measures. The malware employs advanced anti-analysis techniques including CAPTCHA, anti-VM, and sandbox evasion, and uses WebRTC and P2P protocols for stealthy command-and-control communications. Campaigns leverage Microsoft Outlook clients on infected hosts for lateral phishing. The malware is modular, enabling real-time web injection and session hijacking to bypass multi-factor authentication. No CVEs exploited were specified. **Recommended Response** Deploy and update endpoint detection solutions to identify obfuscated executables and DLL side-loading behaviors. Block known IOCs including phishing domains and ZIP file hashes associated with Grandoreiro loaders. Harden email gateways to detect and quarantine phishing emails impersonating tax and financial authorities, and disable macros and script execution from email attachments. Monitor network traffic for anomalous WebRTC and P2P connections, and implement multi-factor authentication with anomaly detection to mitigate session hijacking risks. No specific patches were mentioned; continuous monitoring of phishing campaigns and threat intelligence sharing is advised.

Source articles (4)

• Hackers Use Grandoreiro Malware to Target Portuguese Banks and Latin American Companies — Cybersecuritynews · 2026-05-27
  A banking trojan that has been quietly operating since 2016 is making headlines again. Grandoreiro, one of the most widespread banking malware strains globally, has resurfaced with fresh campaigns tar…
• Active Exploitation Alert: Grandoreiro Banking Trojan and BTMOB RAT Targeting Windows ... — Rescana · 2026-05-28
  The cybersecurity landscape is witnessing a surge in sophisticated malware campaigns targeting both Windows and Android platforms, with the emergence of the Grandoreiro banking trojan and the BTMOB RA…
• Kaspersky Grandoreiro Analysis — securelist.com · 2026-05-28
  Grandoreiro is a well-known Brazilian banking trojan — part of the Tetrade umbrella — that enables threat actors to perform fraudulent banking operations by using the victim’s computer to bypass the s…
• IBM X-Force Grandoreiro Analysis — www.ibm.com · 2026-05-28
  Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis…

Timeline

• 2024-01-01 — Law enforcement actions disrupt Grandoreiro operations: Multiple arrests of Grandoreiro operators in Brazil and Spain occur, but remaining members continue their activities.
• 2024-03-01 — IBM X-Force begins tracking Grandoreiro campaigns: IBM X-Force identifies large-scale phishing campaigns distributing the Grandoreiro trojan, marking a significant uptick in activity.
• 2026-05-28 — New phishing campaigns reported: IBM X-Force reports Grandoreiro phishing campaigns targeting users in South Africa and Europe, indicating a shift in strategy.
• 2026-05-28 — Kaspersky reports financial losses in Spain: Grandoreiro is linked to fraudulent activities in Spain, with estimated profits of 3.5 million euros from its operations.
• Recent — Global threat assessment issued: Cybersecurity experts warn of the escalating threat posed by Grandoreiro, highlighting its resilience and adaptability.

Related entities

• Malware (Attack Type)
• Phishing (Attack Type)
• Trojan (Attack Type)
• Abanca (Company)
• Banco De Portugal (Company)
• BBVA PT (Company)
• Caixa Geral Depositos (Company)
• Revenue Service Of Argentina (Company)
• Revolut (Company)
• Santander (Company)
• Secretary Of Administration And Finance For The City Of Mexico (Company)
• Wise (Company)
• Argentina (Country)
• Belgium (Country)
• Brazil (Country)
• Chile (Country)
• Colombia (Country)
• Italy (Country)
• Japan (Country)
• Mexico (Country)
• Netherlands (Country)
• Portugal (Country)
• South Africa (Country)
• Spain (Country)
• CWE-798 - Use of Hard-coded Credentials (Cwe)
• Cwe-79 - Cross-site Scripting (xss) (Cwe)
• azure.com (Domain)
• cfe.mx (Domain)
• cloudapp.azure.com (Domain)
• dnsfor.me (Domain)
• kaspersky.com (Domain)
• neat-url.com (Domain)
• other.com (Domain)
• pjohconstruccionescpaz.com (Domain)
• rescana.com (Domain)
• rufnag.com (Domain)
• wise.it (Domain)
• yhsp.rufnag.com (Domain)
• zpmbnoxf.crazydocuments.com (Domain)
• [email protected] (Email)
• [email protected] (Email)
• [email protected] (Email)
• [email protected] (Email)
• [email protected] (Email)
• Financial (Industry)
• BTMob RAT (Malware)
• Grandoreiro (Malware)
• 150de04cb34fdc5fd131e342fe4df638 (Md5)
• 43eec7f0fecf58c71a9446f56def0240 (Md5)
• 49355fd0d152862e9c8e3ca3bbc55eb0 (Md5)
• 555856076fad10b2c0c155161fb9384b (Md5)
• 6e118ef44fd94137dbe394f53c1b8a46 (Md5)
• be96e7f80bf43206d4db7921b6d6aa10 (Md5)
• d005abe0a29b53c5995a10ce540cc2ff (Md5)
• dd2ea25752751c8fb44da2b23daf24a4 (Md5)
• f0243296c6988a3bce24f95035ab4885 (Md5)
• fb3d843d35c66f76b1b1b88260ad2009 (Md5)
• T1059.005 - Visual Basic (Mitre Attack)
• T1071 - Application Layer Protocol (Mitre Attack)
• T1547.001 - Registry Run Keys / Startup Folder (Mitre Attack)
• T1566.001 - Spearphishing Attachment (Mitre Attack)
• T1566.002 - Spearphishing Link (Mitre Attack)
• T1574 - Hijack Execution Flow (Mitre Attack)
• Android (Platform)
• Microsoft Outlook (Platform)
• Windows (Platform)
• Delphi (Tool)
• SgcWebSockets (Tool)
• ZipForge (Tool)