Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users

Banking trojans Grandoreiro and BTMOB are actively targeting financial institutions and users across Latin America and Europe. WatchGuard and ESET researchers identified coordinated campaigns deploying Grandoreiro on Windows systems in Spain, Portugal, and Mexico, while BTMOB infects Android devices primarily affecting Brazilian mobile users.

Grandoreiro operates as a banking trojan designed to intercept financial transactions and steal credentials from compromised Windows machines. The malware typically spreads through phishing emails and malicious attachments, allowing attackers to establish persistent access to corporate networks and individual systems. BTMOB functions as a remote access trojan (RAT) on Android, enabling attackers to execute commands, monitor device activity, and capture sensitive banking information directly from mobile phones.

The geographic focus on Latin America and Europe reflects the banking trojans' targeting of high-value financial sectors. Spain and Portugal represent significant banking markets in Europe, while Mexico and Brazil contain large populations of digital banking users with substantial transaction volumes. This makes both regions attractive to financially motivated threat actors.

Organizations in affected regions should implement robust email filtering to block phishing campaigns that distribute these trojans. Windows users need current antivirus software and should avoid opening suspicious attachments. Android users should only install applications from official app stores and verify app permissions before installation.

The dual-platform attack demonstrates how threat actors now develop malware families targeting both desktop and mobile environments simultaneously. This approach expands infection vectors and increases the likelihood of compromising target organizations across multiple device types. Financial institutions should heighten monitoring of transaction patterns for signs of trojan activity, including unusual account access, unauthorized transfers, or credential compromise indicators.

These campaigns underline the persistent threat banking trojans pose to financial services sectors and individual users holding mobile banking credentials. Continuous monitoring and user education remain essential defenses against these threats.