Grandoreiro Banking Trojan Expands Global Reach and Evasion Tactics
Kaspersky reported that the Grandoreiro banking trojan has continued operating globally despite law-enforcement disruptions and arrests, expanding from targeting about 900 banks in 40 countries in 2023 to roughly 1,700 banks and 276 crypto wallets across 45 countries and territories in 2024. Telemetry recorded more than 150,000 blocked infection attempts affecting over 30,000 users worldwide between January and October 2024, underscoring the malware’s sustained scale and resilience.
Recent Grandoreiro campaigns used phishing emails, malvertising, MSI-based loaders, DLL sideloading, oversized padded binaries, and CAPTCHA-based sandbox evasion to infect victims. Kaspersky said newer versions also introduced fragmented codebases, stronger encryption, three domain generation algorithms for command-and-control, and mouse-behavior tracking to evade fraud detection, while preserving core capabilities including remote machine control, credential theft, one-time-password harvesting through overlays, clipboard replacement for cryptocurrency theft, and fraudulent banking transactions; some legacy variants are now concentrating on targets in Mexico.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Grandoreiro expands to 1,700 banks and 276 crypto wallets
In 2024, Kaspersky reports Grandoreiro expanded its targeting from 900 banks in 40 countries to 1,700 banks and 276 crypto wallets in 45 countries and territories. The malware also evolved with fragmented codebases, stronger encryption, DGAs, and anti-analysis features.
Law enforcement disruptions and arrests hit Grandoreiro in 2024
The reference says Grandoreiro also faced law enforcement disruptions and arrests in 2024. Despite those actions, the malware operation continued globally.
Grandoreiro targets 900 banks in 40 countries in 2023
According to Kaspersky, Grandoreiro targeted 900 banks across 40 countries in 2023. This establishes the scale of the malware's operations before its later expansion in 2024.
Kaspersky records 150,000 blocked Grandoreiro infections
From January to October 2024, Kaspersky telemetry recorded more than 150,000 blocked Grandoreiro infections affecting over 30,000 users worldwide. This provides a measured view of the campaign's impact during that period.
Law enforcement disruptions and arrests hit Grandoreiro in 2021
The reference says Grandoreiro continued operating despite law enforcement disruptions and arrests in 2021. This indicates authorities took action against actors tied to the malware that year.
Grandoreiro banking trojan becomes active
Kaspersky states that the Grandoreiro banking trojan has been active since at least 2016. The malware is described as a Brazilian banking trojan that continued operating globally in subsequent years.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Grandoreiro Banking Trojan Resurfaces Against Portuguese Banks and Latin American Firms
The **Grandoreiro** banking trojan has re-emerged in campaigns targeting Portuguese banks and organizations across Spain, Mexico, and Latin America, showing that the malware remains active despite earlier law-enforcement disruption. Researchers reported phishing-led delivery chains using ZIP archives, loaders disguised as PDFs, **DLL side-loading**, and malicious **VBS** scripts hosted through abused legitimate services. In earlier observed activity, the operators impersonated government entities such as the Attorney General's Office of Mexico City and Spain's Public Ministry to lure employees at manufacturing, automotive, machinery, and chemicals companies into opening malicious attachments. The latest variants use stronger evasion and persistence techniques, including binary padding to roughly **400MB**, CAPTCHA-based execution, Windows Registry persistence, geofencing, and anti-analysis checks. Once installed, Grandoreiro can steal credentials, log keystrokes, monitor the clipboard, enumerate antivirus products, cryptocurrency wallets, and e-banking applications, and display fake banking overlays, while blending command-and-control traffic through trusted cloud services including **Google Cloud**, **Microsoft Azure**, and **Amazon**. Brazilian police previously arrested suspects tied to Grandoreiro operations, but the renewed campaigns indicate the financially motivated group continues to operate across multiple countries.
Jun 2, 2026
JanelaRAT Banking Trojan Expands Attacks on Latin American Financial Users
Researchers reported that **JanelaRAT**, a Latin America-focused banking trojan derived from **BX RAT**, is actively targeting online banking and cryptocurrency users, with the heaviest activity in **Brazil** and **Mexico** and additional campaigns observed in **Chile** and **Colombia**. Kaspersky said it recorded **14,739 detections in Brazil** and **11,695 in Mexico** during 2025, as the malware continued to evolve from earlier VBScript-and-ZIP delivery chains to newer phishing-led infections using **MSI droppers**, **DLL sideloading**, obfuscated **.NET** payloads, and persistence through **Startup-folder LNK files**. Recent activity also included deployment of a malicious Chromium extension disguised as legitimate software. Once installed, JanelaRAT monitors browser and window titles for hard-coded banking and financial targets, then opens interactive **TCP** and **HTTP** command-and-control channels to support screenshots, keylogging, input injection, cursor control, remote command execution, and session hijacking. The malware uses encrypted strings, anti-analysis checks, daily rotating dynamic DNS infrastructure, and user inactivity monitoring to evade detection and help operators time fraudulent transactions. A notable feature is its overlay system, which displays fake banking prompts and Windows update screens to steal credentials and **MFA** tokens while suppressing user interaction.
Apr 22, 2026
Astaroth Banking Trojan Campaign Abuses GitHub for Configuration Hosting
The Astaroth banking trojan has resurfaced with a new campaign that leverages GitHub repositories to host its malware configurations, significantly enhancing its resilience against takedown efforts. Security researchers from McAfee and other organizations have observed that, rather than relying solely on traditional command-and-control (C2) servers, the attackers are now using GitHub’s trusted infrastructure to store and distribute configuration files and redirection instructions. This approach allows the threat actors to dynamically update the trojan’s settings and switch to new C2 servers as needed, making it much more difficult for law enforcement and security teams to disrupt the campaign. The attack chain typically begins with phishing emails that lure victims into downloading a ZIP file, which contains a malicious LNK shortcut. When executed, this shortcut launches obfuscated JavaScript via mshta.exe, which then downloads several files, including an AutoIt script, the AutoIt interpreter, an encrypted payload, and an encrypted configuration file. The AutoIt script is responsible for building and executing shellcode in memory, which then loads a Delphi DLL. This DLL decrypts and injects the final Astaroth payload into a new RegSvc.exe process, allowing the malware to operate stealthily on the infected system. Astaroth is known for its fileless operation, anti-analysis techniques, and its ability to avoid US and English locales, focusing its attacks primarily on South American countries such as Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama, with some activity also noted in Portugal and Italy. The trojan monitors foreground windows for banking and cryptocurrency sites, and when detected, it hooks the keyboard to steal credentials via keylogging. Stolen data is exfiltrated to the attackers’ infrastructure using the Ngrok reverse proxy, further complicating efforts to trace or block the communications. Persistence is achieved by dropping a LNK file in the startup folder, ensuring the malicious AutoIt script runs on system reboot. Experts warn that the use of GitHub’s high-availability and trusted reputation not only makes takedowns more challenging but also raises concerns about the potential for the campaign to expand beyond its current regional focus. The campaign’s sophistication is further underscored by its use of public repositories for configuration management, allowing for rapid adaptation and continued operation even as individual C2 nodes are neutralized. Security professionals highlight that this method of infrastructure abuse is part of a broader trend, with adversaries increasingly exploiting legitimate cloud and code-hosting platforms to evade detection and maintain operational continuity. The campaign’s reliance on phishing as the initial infection vector underscores the ongoing importance of user awareness and email security controls. The technical complexity of the infection chain, including multiple layers of obfuscation and in-memory execution, demonstrates the evolving tactics of financially motivated cybercriminals. The campaign’s focus on banking credentials and cryptocurrency accounts indicates a clear intent to monetize stolen information. The use of AutoIt scripting and the ability to update configurations on the fly make this variant of Astaroth particularly challenging to defend against. Security experts recommend heightened vigilance, robust endpoint protection, and monitoring for suspicious use of legitimate platforms like GitHub in enterprise environments. The campaign serves as a reminder of the persistent threat posed by banking trojans and the need for adaptive, multi-layered defense strategies.
Mar 21, 2026