Find notable cyber news and cases, enriched with sources, timelines, and signals.

BTMOB phishing campaign targeting Brazil and Latin America

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

BTMOB phishing activity is using localized fake-app lures to target users in Brazil and Latin America, increasing the risk of malicious installs and account compromise. The operation has been seen impersonating an Argentinian government agency and other trusted themes to make the download path look legitimate. The recurring lure pattern shows an active regional campaign rather than a one-off phishing attempt.

Related Happenings

Rokarolla device-profiling targeting campaign

Campaign
H score32 First: 16.06.2026 23:04 Last: 16.06.2026 23:04 Sources 1

About this happening: The **Rokarolla** Android campaign now profiles infected devices to assign a **unique identifier** to each victim, enabling repeated tracking and coordinated financial-fraud activ...

BTMOB Android MaaS platform expands low-code phishing payload production

Threat Actor Meta
H score21 First: 29.05.2026 00:10 Last: 29.05.2026 00:10 Sources 1

How related: Cybersecurity company ESET says that BTMOB is openly advertised on the clearweb and operates as a malware-as-a-service (MaaS) platform.

About this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
H score25 First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

How related: BTMOB is mostly active in Brazil and Latin America.

About this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...

Grandoreiro DLL side-loading campaign targeting banks in Portugal

Campaign
H score26 First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: **Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...

BTMOB Android RAT no-code builder malware activity

Malware Activity
H score28 First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

How related: The APK builder included in the offer provides easy customization of the payload without any need to code.

About this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...

Latest development: 29.05.2026 00:10

BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.

Timeline

  1. 29.05.2026 00:10 2 articles · 1mo ago

    BTMOB phishing campaigns target users in Brazil and Latin America

    Initial Disclosure

    BTMOB campaigns target users mainly in Brazil and Latin America through phishing websites masquerading as streaming services and cryptocurrency mining platforms, portals mimicking Google Play, and localized lures including an Argentinian government agency theme. The platform also generates custom phishing payloads tailored to the campaign topic and uses Google Play impersonation to drive fake app downloads.

    Show sources