Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The Grandoreiro and BTMOB trojans are being used in active campaigns against Windows and Android targets across Europe and Latin America, increasing the risk of credential theft, banking theft, and remote control. Grandoreiro is spreading through phishing emails and DLL side-loading while using WebRTC/STUN/ICE-related traffic to blend in with normal conferencing flows. BTMOB is delivered through social engineering, fake Google Play listings, and malicious APK installs, then abuses accessibility services to seize device control. The activity shows two evolving malware families adapting delivery and concealment techniques to reach companies and mobile users in multiple regions.

Related Happenings

Grandoreiro DLL side-loading campaign targeting banks in Portugal

Campaign
First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

How related: The Grandoreiro campaign "uses the DLL Side-Loading technique abusing four different software, targeting banks in Portugal," WatchGuard researcher Euler Neto said.

About this happening: **Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...

Open Happening

BTMOB Android RAT no-code builder malware activity

Malware Activity
First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....

Open Happening

Mirax Android banking trojan with residential proxy nodes

Malware Activity
First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...

Open Happening

Perseus Android malware family actively distributed in the wild

Malware Activity
First: 19.03.2026 14:43 Last: 19.03.2026 14:43 Sources 1

About this happening: The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...

Open Happening

VENON Rust-based banking malware targeting Brazilian Windows users

Malware Activity
First: 12.03.2026 19:31 Last: 12.03.2026 19:31 Sources 1

About this happening: Researchers disclosed **VENON**, a new **Rust-based banking malware** aimed at **Brazilian Windows users**, raising the risk of **credential theft** through fake banking overlays....

Open Happening

Timeline

  1. 27.05.2026 19:10 1 articles · 6h ago

    BTMOB operator advertises pricing and builder access

    Campaign Scope Update

    The BTMOB operator posts a May 1, 2026 update about faster infrastructure and a refined builder, and a shared video advertises the Android RAT with a $1,200 lifetime license. The post positions BTMOB as ready-made malware tooling available to customers seeking rapid campaign deployment.

    Show sources
    Open in new tab
  2. 27.05.2026 19:10 2 articles · 6h ago

    WatchGuard and ESET disclose Grandoreiro and BTMOB banking trojan campaigns

    Initial Disclosure

    WatchGuard and ESET identify two active banking trojan campaigns in Latin America and Europe, with Grandoreiro targeting Windows and BTMOB targeting Android. The activity singles out companies in Spain, Portugal, and Mexico, along with mobile users in Brazil, and relies on phishing, DLL side-loading, WebRTC-related components, and fake Google Play distribution to reach victims.

    Show sources
    Open in new tab