Grandoreiro DLL side-loading campaign targeting banks in Portugal
Campaign
Summary
Hide ▲
Show ▼
Grandoreiro is running a new DLL side-loading campaign against banks in Portugal, extending a long-lived banking-malware operation into 2026. The latest wave uses WebRTC-related communications and STUN/ICE traffic to make monitoring harder. It continues to arrive through phishing emails and targets a wider financial set that includes institutions in Spain, Portugal, and Mexico. The campaign matters because it combines delivery evasion with credential theft against trusted financial institutions.
Related Happenings
Ousaban banking trojan retooled for Spain and Portugal
Malware Activity
H score33
First: 01.07.2026 16:45
Last: 01.07.2026 16:45
Sources 1
About this happening:
The **Ousaban** banking trojan has been **retooled** to target **banking customers in Spain and Portugal**, raising the risk of **credential theft** and **bank fraud**. It uses **...
Ousaban banking trojan retooled for Spain and Portugal
Malware ActivityAbout this happening: The **Ousaban** banking trojan has been **retooled** to target **banking customers in Spain and Portugal**, raising the risk of **credential theft** and **bank fraud**. It uses **...
FishMonger multi-country government espionage campaign
Campaign
H score33
First: 16.06.2026 17:30
Last: 16.06.2026 17:30
Sources 1
About this happening:
**FishMonger** ran a **multi-country espionage campaign** against **government bodies** in **Honduras, Taiwan, Thailand and Pakistan** across **2023 and 2024**. The activity point...
FishMonger multi-country government espionage campaign
CampaignAbout this happening: **FishMonger** ran a **multi-country espionage campaign** against **government bodies** in **Honduras, Taiwan, Thailand and Pakistan** across **2023 and 2024**. The activity point...
BTMOB phishing campaign targeting Brazil and Latin America
Campaign
H score39
First: 29.05.2026 00:10
Last: 29.05.2026 00:10
Sources 1
About this happening:
**BTMOB** phishing activity is using localized fake-app lures to target users in **Brazil** and **Latin America**, increasing the risk of malicious installs and account compromise...
BTMOB phishing campaign targeting Brazil and Latin America
CampaignAbout this happening: **BTMOB** phishing activity is using localized fake-app lures to target users in **Brazil** and **Latin America**, increasing the risk of malicious installs and account compromise...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
H score25
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
How related:
Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively.
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityHow related: Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively.
About this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Mirax social media ad campaign targeting Spanish-speaking users
Campaign
H score44
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Mirax social media ad campaign targeting Spanish-speaking users
CampaignAbout this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Timeline
-
27.05.2026 19:10 2 articles · 1mo ago
Grandoreiro uses DLL side-loading against banks in Portugal
Initial DisclosureWatchGuard identifies a Grandoreiro campaign that uses DLL side-loading to target banks in Portugal, including institutions such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, Revolut, and Wise. The campaign launches DLLs developed in Delphi 11 and uses sgcWebSockets with WebRTC-related communications, along with STUN and ICE, to make monitoring harder while phishing emails continue to serve as a delivery path.
Show sources
- Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users — thehackernews.com — 27.05.2026 19:10
- Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users — thehackernews.com — 27.05.2026 19:10