BTMOB phishing campaign targeting Brazil and Latin America
Campaign
Summary
Hide ▲
Show ▼
BTMOB phishing activity is using localized fake-app lures to target users in Brazil and Latin America, increasing the risk of malicious installs and account compromise. The operation has been seen impersonating an Argentinian government agency and other trusted themes to make the download path look legitimate. The recurring lure pattern shows an active regional campaign rather than a one-off phishing attempt.
Related Happenings
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor Meta
First: 29.05.2026 00:10
Last: 29.05.2026 00:10
Sources 1
How related:
Cybersecurity company ESET says that BTMOB is openly advertised on the clearweb and operates as a malware-as-a-service (MaaS) platform.
About this happening:
**BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor MetaHow related: Cybersecurity company ESET says that BTMOB is openly advertised on the clearweb and operates as a malware-as-a-service (MaaS) platform.
About this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
How related:
BTMOB is mostly active in Brazil and Latin America.
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityHow related: BTMOB is mostly active in Brazil and Latin America.
About this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro DLL side-loading campaign targeting banks in Portugal
Campaign
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
Grandoreiro DLL side-loading campaign targeting banks in Portugal
CampaignAbout this happening: **Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
BTMOB Android RAT no-code builder malware activity
Malware Activity
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
How related:
The APK builder included in the offer provides easy customization of the payload without any need to code.
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityHow related: The APK builder included in the offer provides easy customization of the payload without any need to code.
About this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
BTMOB phishing campaign targeting Android users in Brazil and beyond
Campaign
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
The **BTMOB phishing distribution campaign** is pushing **malicious APKs** through **fake app stores**, expanding Android compromise risk across **Brazil and beyond**. Operators l...
BTMOB phishing campaign targeting Android users in Brazil and beyond
CampaignAbout this happening: The **BTMOB phishing distribution campaign** is pushing **malicious APKs** through **fake app stores**, expanding Android compromise risk across **Brazil and beyond**. Operators l...
Timeline
-
29.05.2026 00:10 2 articles · 2h ago
BTMOB phishing campaigns target users in Brazil and Latin America
Initial DisclosureBTMOB campaigns target users mainly in Brazil and Latin America through phishing websites masquerading as streaming services and cryptocurrency mining platforms, portals mimicking Google Play, and localized lures including an Argentinian government agency theme. The platform also generates custom phishing payloads tailored to the campaign topic and uses Google Play impersonation to drive fake app downloads.
Show sources
- BTMOB Android malware service generates custom phishing payloads — www.bleepingcomputer.com — 29.05.2026 00:10
- BTMOB Android malware service generates custom phishing payloads — www.bleepingcomputer.com — 29.05.2026 00:10