Grandoreiro Banking Trojan Resurfaces Against Portuguese Banks and Latin American Firms
The Grandoreiro banking trojan has re-emerged in campaigns targeting Portuguese banks and organizations across Spain, Mexico, and Latin America, showing that the malware remains active despite earlier law-enforcement disruption. Researchers reported phishing-led delivery chains using ZIP archives, loaders disguised as PDFs, DLL side-loading, and malicious VBS scripts hosted through abused legitimate services. In earlier observed activity, the operators impersonated government entities such as the Attorney General's Office of Mexico City and Spain's Public Ministry to lure employees at manufacturing, automotive, machinery, and chemicals companies into opening malicious attachments.
The latest variants use stronger evasion and persistence techniques, including binary padding to roughly 400MB, CAPTCHA-based execution, Windows Registry persistence, geofencing, and anti-analysis checks. Once installed, Grandoreiro can steal credentials, log keystrokes, monitor the clipboard, enumerate antivirus products, cryptocurrency wallets, and e-banking applications, and display fake banking overlays, while blending command-and-control traffic through trusted cloud services including Google Cloud, Microsoft Azure, and Amazon. Brazilian police previously arrested suspects tied to Grandoreiro operations, but the renewed campaigns indicate the financially motivated group continues to operate across multiple countries.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
WatchGuard identifies new Grandoreiro campaigns and delivery chains
WatchGuard identified active Grandoreiro campaigns targeting Portuguese banks and organizations across Spain, Mexico, and Latin America. The campaigns used two delivery chains: DLL side-loading via phishing ZIP files and a geofenced malicious VBS script hosted through abused legitimate services.
Grandoreiro banking trojan becomes active
A later reference states that the Grandoreiro banking trojan has been active since 2016, establishing the start of the malware's known operations.
Forcepoint reports revived Grandoreiro campaign targeting Argentina, Mexico, and Spain
Forcepoint X-Labs reported a revived Grandoreiro phishing campaign targeting users in Mexico, Argentina, and Spain with emails impersonating tax agencies. The campaign used Contabo-hosted infrastructure, MediaFire-delivered ZIP archives, and an obfuscated VBS dropper that executed a Delphi payload communicating with command-and-control servers on unusual ports.
Brazilian police arrest Grandoreiro banking trojan suspects
The Record reported that Brazilian police made arrests in connection with the Grandoreiro banking malware case.
Researchers identify updated Grandoreiro variant and delivery chain
Researchers observed a Grandoreiro variant using phishing-delivered ZIP archives with a loader disguised as a PDF, followed by retrieval of a Delphi payload from a remote HTTP server. The variant added stronger anti-analysis and evasion features, including binary padding, CAPTCHA-based execution, registry persistence, and a DGA-based command-and-control system.
Grandoreiro campaign begins targeting firms in Spain and Mexico
Zscaler identified an ongoing Grandoreiro campaign that began in June 2022, targeting employees at a chemicals manufacturer in Spain and automotive and machinery companies in Mexico through phishing emails impersonating government entities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Grandoreiro Banking Trojan Evades Security Controls
securityonline.info
Open sourceHackers Use Grandoreiro Malware to Target Portuguese Banks and Latin American Companies
cybersecuritynews.com
Open sourceGrandoreiro Malware Targets Europe and Latin America
watchguard.com
Open sourceGrandoreiro Trojan Distributed via Contabo-Hosted Servers in Phishing Campaigns
forcepoint.com
Open sourceBrazilian police make arrests in Grandoreiro banking malware case | The Record from Recorded Future News
therecord.media
Open sourceGrandoreiro banking malware targets manufacturers in Spain, Mexico
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Grandoreiro Banking Trojan Expands Global Reach and Evasion Tactics
Kaspersky reported that the **Grandoreiro** banking trojan has continued operating globally despite law-enforcement disruptions and arrests, expanding from targeting about **900 banks in 40 countries** in 2023 to roughly **1,700 banks and 276 crypto wallets across 45 countries and territories** in 2024. Telemetry recorded more than **150,000 blocked infection attempts** affecting over **30,000 users** worldwide between January and October 2024, underscoring the malware’s sustained scale and resilience. Recent Grandoreiro campaigns used phishing emails, malvertising, **MSI-based loaders**, **DLL sideloading**, oversized padded binaries, and **CAPTCHA-based sandbox evasion** to infect victims. Kaspersky said newer versions also introduced fragmented codebases, stronger encryption, three domain generation algorithms for command-and-control, and mouse-behavior tracking to evade fraud detection, while preserving core capabilities including remote machine control, credential theft, one-time-password harvesting through overlays, clipboard replacement for cryptocurrency theft, and fraudulent banking transactions; some legacy variants are now concentrating on targets in Mexico.
Jan 1, 2024
JanelaRAT Banking Trojan Expands Attacks on Latin American Financial Users
Researchers reported that **JanelaRAT**, a Latin America-focused banking trojan derived from **BX RAT**, is actively targeting online banking and cryptocurrency users, with the heaviest activity in **Brazil** and **Mexico** and additional campaigns observed in **Chile** and **Colombia**. Kaspersky said it recorded **14,739 detections in Brazil** and **11,695 in Mexico** during 2025, as the malware continued to evolve from earlier VBScript-and-ZIP delivery chains to newer phishing-led infections using **MSI droppers**, **DLL sideloading**, obfuscated **.NET** payloads, and persistence through **Startup-folder LNK files**. Recent activity also included deployment of a malicious Chromium extension disguised as legitimate software. Once installed, JanelaRAT monitors browser and window titles for hard-coded banking and financial targets, then opens interactive **TCP** and **HTTP** command-and-control channels to support screenshots, keylogging, input injection, cursor control, remote command execution, and session hijacking. The malware uses encrypted strings, anti-analysis checks, daily rotating dynamic DNS infrastructure, and user inactivity monitoring to evade detection and help operators time fraudulent transactions. A notable feature is its overlay system, which displays fake banking prompts and Windows update screens to steal credentials and **MFA** tokens while suppressing user interaction.
Apr 22, 2026
Astaroth Banking Trojan Campaign Abuses GitHub for Configuration Hosting
The Astaroth banking trojan has resurfaced with a new campaign that leverages GitHub repositories to host its malware configurations, significantly enhancing its resilience against takedown efforts. Security researchers from McAfee and other organizations have observed that, rather than relying solely on traditional command-and-control (C2) servers, the attackers are now using GitHub’s trusted infrastructure to store and distribute configuration files and redirection instructions. This approach allows the threat actors to dynamically update the trojan’s settings and switch to new C2 servers as needed, making it much more difficult for law enforcement and security teams to disrupt the campaign. The attack chain typically begins with phishing emails that lure victims into downloading a ZIP file, which contains a malicious LNK shortcut. When executed, this shortcut launches obfuscated JavaScript via mshta.exe, which then downloads several files, including an AutoIt script, the AutoIt interpreter, an encrypted payload, and an encrypted configuration file. The AutoIt script is responsible for building and executing shellcode in memory, which then loads a Delphi DLL. This DLL decrypts and injects the final Astaroth payload into a new RegSvc.exe process, allowing the malware to operate stealthily on the infected system. Astaroth is known for its fileless operation, anti-analysis techniques, and its ability to avoid US and English locales, focusing its attacks primarily on South American countries such as Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama, with some activity also noted in Portugal and Italy. The trojan monitors foreground windows for banking and cryptocurrency sites, and when detected, it hooks the keyboard to steal credentials via keylogging. Stolen data is exfiltrated to the attackers’ infrastructure using the Ngrok reverse proxy, further complicating efforts to trace or block the communications. Persistence is achieved by dropping a LNK file in the startup folder, ensuring the malicious AutoIt script runs on system reboot. Experts warn that the use of GitHub’s high-availability and trusted reputation not only makes takedowns more challenging but also raises concerns about the potential for the campaign to expand beyond its current regional focus. The campaign’s sophistication is further underscored by its use of public repositories for configuration management, allowing for rapid adaptation and continued operation even as individual C2 nodes are neutralized. Security professionals highlight that this method of infrastructure abuse is part of a broader trend, with adversaries increasingly exploiting legitimate cloud and code-hosting platforms to evade detection and maintain operational continuity. The campaign’s reliance on phishing as the initial infection vector underscores the ongoing importance of user awareness and email security controls. The technical complexity of the infection chain, including multiple layers of obfuscation and in-memory execution, demonstrates the evolving tactics of financially motivated cybercriminals. The campaign’s focus on banking credentials and cryptocurrency accounts indicates a clear intent to monetize stolen information. The use of AutoIt scripting and the ability to update configurations on the fly make this variant of Astaroth particularly challenging to defend against. Security experts recommend heightened vigilance, robust endpoint protection, and monitoring for suspicious use of legitimate platforms like GitHub in enterprise environments. The campaign serves as a reminder of the persistent threat posed by banking trojans and the need for adaptive, multi-layered defense strategies.
Mar 21, 2026