Grandoreiro DLL side-loading campaign targeting banks in Portugal
Campaign
Summary
Hide ▲
Show ▼
Grandoreiro is running a new DLL side-loading campaign against banks in Portugal, extending a long-lived banking-malware operation into 2026. The latest wave uses WebRTC-related communications and STUN/ICE traffic to make monitoring harder. It continues to arrive through phishing emails and targets a wider financial set that includes institutions in Spain, Portugal, and Mexico. The campaign matters because it combines delivery evasion with credential theft against trusted financial institutions.
Related Happenings
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
How related:
Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively.
About this happening:
The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityHow related: Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively.
About this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Mirax social media ad campaign targeting Spanish-speaking users
Campaign
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Mirax social media ad campaign targeting Spanish-speaking users
CampaignAbout this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Perseus IPTV-lure distribution campaign targeting Europe and the Middle East
Campaign
First: 19.03.2026 14:43
Last: 19.03.2026 14:43
Sources 1
About this happening:
The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...
Perseus IPTV-lure distribution campaign targeting Europe and the Middle East
CampaignAbout this happening: The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...
Massiv fake IPTV SMS-phishing campaign
Campaign
First: 19.02.2026 12:24
Last: 19.02.2026 12:24
Sources 1
About this happening:
The **Massiv** distribution campaign is using **SMS phishing** and **fake IPTV apps** to deliver Android malware, creating a direct path to **mobile banking theft** and **device t...
Massiv fake IPTV SMS-phishing campaign
CampaignAbout this happening: The **Massiv** distribution campaign is using **SMS phishing** and **fake IPTV apps** to deliver Android malware, creating a direct path to **mobile banking theft** and **device t...
Massiv Android trojan device-takeover and credential-theft activity
Malware Activity
First: 19.02.2026 12:24
Last: 19.02.2026 12:24
Sources 1
About this happening:
The **Massiv** Android trojan has been disclosed as a **device-takeover** threat that can steal banking credentials and enable fraudulent transactions. It uses **screen streaming*...
Massiv Android trojan device-takeover and credential-theft activity
Malware ActivityAbout this happening: The **Massiv** Android trojan has been disclosed as a **device-takeover** threat that can steal banking credentials and enable fraudulent transactions. It uses **screen streaming*...
Timeline
-
27.05.2026 19:10 2 articles · 6h ago
Grandoreiro uses DLL side-loading against banks in Portugal
Initial DisclosureWatchGuard identifies a Grandoreiro campaign that uses DLL side-loading to target banks in Portugal, including institutions such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, Revolut, and Wise. The campaign launches DLLs developed in Delphi 11 and uses sgcWebSockets with WebRTC-related communications, along with STUN and ICE, to make monitoring harder while phishing emails continue to serve as a delivery path.
Show sources
- Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users — thehackernews.com — 27.05.2026 19:10
- Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users — thehackernews.com — 27.05.2026 19:10