Grandoreiro

Grandoreiro is a long-running Brazilian banking trojan active since at least 2016 and described in the provided reporting as one of the most widespread banking malware families globally. It primarily targets Windows systems and has been used in aggressive phishing campaigns against banking customers, banks, and companies across Latin America and Europe, including Portugal, Spain, Mexico, Argentina, and Brazil. Reporting also states it is capable of stealing credentials associated with thousands of financial institutions across 45 countries and territories.

Observed delivery methods include phishing emails with malicious attachments or links, ZIP archives, highly obfuscated VBS scripts, MSI installers, direct executables, and DLL side-loading through legitimate software such as FastStone Image Viewer, MinGW, FreeMat, AbiWord, GoToMeeting, and Nero WiFi+Transfer. Recent campaigns used geofenced fake pages on abused Contabo infrastructure, MediaFire and Dropbox-hosted payloads, fake Adobe Reader update prompts, and ClickFix/ClearFake-style fake reCAPTCHA chains. One campaign used a batch dropper to download payloads from 177.136.230.88/modulo/ and establish persistence via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g2mstart while adding Microsoft Defender exclusions.

Grandoreiro is consistently described as Delphi-compiled malware. Reported capabilities include credential theft, stealing cookie data and credentials from Google Chrome, keylogging, clipboard monitoring, browser redirection, command execution, window manipulation, fake banking overlays/web injects, simulated mouse and keyboard movements, auto-update functionality, and exfiltration of collected data to command-and-control servers. It has also been observed collecting host information such as system GUID, computer name, language-related registry data, antivirus products, cryptocurrency wallet presence, e-banking applications, and checks for directories such as C:\Program Files (x86)\Bitcoin. In Brazil-focused campaigns, embedded overlays targeted Banco do Brasil, Bradesco, Caixa Econômica Federal, Itaú Unibanco, Santander, Sicoob, Sicredi, and Unicred, and impersonated banking security brands including GAS Tecnologia, Topaz OFD Anti-Fraud Intelligence, and Trusteer IBM. Those overlays were used to capture card passwords, electronic signatures, QR or BB-code validation codes, device serial numbers, and PIX confirmation codes; PIX QR-code interception and clipboard manipulation were also reported.

The malware uses multiple command-and-control mechanisms and evasion techniques. Reporting states it can use SSL for C2, send and receive C2 data via web services including Google Sites, and obtain C2 information from Google Docs. Other campaigns used AWS-hosted endpoints such as 18.212.216.95:42195 requesting /AudioCoreBCPbSecureNexusLink.xml, with 98.81.92.194:30154 also listed as a C2 endpoint. WatchGuard reporting described malicious DLLs using WebRTC-related protocols including STUN and ICE, plus integrations with Google Cloud Pub/Sub, Azure MQTT, Amazon MQTT, and the Binance API to blend traffic into noisy, legitimate-looking communications.

Grandoreiro includes substantial anti-analysis and defense-evasion functionality. Reported behaviors include API hooking, killing processes, breaking file system paths, changing ACLs to prevent security tools from running, anti-debugging via division-by-zero and UD2 instructions, deliberate execution errors, reverse-engineering and sandbox checks, geolocation verification through hxxp://ip-api.com/json, checks for analyst tools, suspicious execution paths, VMware-related registry keys, installed antivirus products via WMI, and the presence of software such as Google Chrome, FileZilla Client, CCleaner, Firefox, Acrobat Reader DC, Microsoft Edge, Skype, and Diamond Model. Some variants used CAPTCHA checks, binary padding to 400 MB, stolen code-signing certificates, and a DGA-based C2 system. Grandoreiro can also store configuration under HKCU\Software\ using frequently changing names including %USERNAME% and ToolTech-RM.

The malware is associated with the Brazilian banking malware ecosystem and is referenced as part of the Tetrade group in the provided content. It has also been historically linked in reporting to threat activity tracked by TA2725. Law-enforcement actions in 2021 and 2024 reportedly disrupted parts of the operation and led to arrests in Spain, Brazil, and Argentina, but the content states the malware remained active and re-emerged with updated variants in 2025 and 2026.

High-confidence indicators and artifacts mentioned in the content include domains and infrastructure such as uniaodownloadcnk.online, vmi<7-digit-number>.contaboserver.net, canalmodup.com, 177.136.230.88, 18.212.216.95:42195, 98.81.92.194:30154, 162.33.177.150, MediaFire and Dropbox-hosted payloads, and malicious DLL names including libwebp.dll, mingw10.dll, libffi-6.dll, libpng15.dll, g2m.dll, and Drivespan.dll.