According to research from WatchGuard and ESET, two concurrent malware campaigns, Grandoreiro (Windows) and BTMOB RAT (Android), are actively targeting financial institutions and their customers across Europe and Latin America in 2026.
Grandoreiro, a long-running banking trojan active since 2016, has adopted advanced DLL side-loading techniques to target banking institutions in Spain, Portugal, and Mexico, including Abanca, Banco de Portugal, and Santander. Simultaneously, BTMOB RAT, a modular Android remote access trojan first observed in February 2025, is being offered as a Malware-as-a-Service platform by the threat actor EVLF for USD 700 per month or USD 1,200 for a lifetime license.
BTMOB enables full device compromise, banking credential theft, and remote device control, while Grandoreiro focuses on web injection and session hijacking of online banking platforms. Organizations across the UAE and broader MENA region that maintain banking relationships with European and Latin American institutions, as well as users conducting financial transactions through Android devices, face elevated risk from these ongoing campaigns.
Grandoreiro employs a multi-stage DLL side-loading infection chain. WatchGuard researcher Euler Neto identified the campaign abusing legitimate software packages to load malicious DLL files. This technique allows malicious code to execute within the trusted process context of legitimate applications, bypassing application control mechanisms and endpoint security solutions that rely on process reputation.
The malware utilizes the sgcWebSockets library to establish command-and-control communications through peer-to-peer and Web Real-Time Communication channels. By leveraging Session Traversal Utilities for NAT and Interactive Connectivity Establishment protocols, Grandoreiro blends malicious traffic with legitimate web conferencing communications, making network-level detection significantly more difficult. The malware is highly modular and can dynamically update its target bank list, enabling operators to add or remove financial institutions as required. It performs real-time web injection within banking sessions to harvest credentials, session tokens, and authentication information directly from users interacting with online banking portals.
BTMOB RAT version 4.5.5, the latest observed version as of May 2026, targets Android 7.0 and newer devices. Following installation, the malware aggressively requests Android Accessibility Service permissions. Once granted, it gains the ability to read screen content, inject touch and keystroke events, bypass security controls, and automate interactions with banking applications without the victim’s knowledge.
ESET confirmed capabilities including device unlocking, real-time screenshot collection, keystroke logging, credential theft through HTML overlays injected into banking applications, and complete remote control of compromised devices. The malware includes a built-in APK builder that enables subscribers to generate customized malicious Android packages and localized phishing lures without requiring programming knowledge, significantly lowering the barrier to entry for cybercriminals.
The details and technicalities of both attack campaigns are discussed further.
Delivery and Infection Chain:
Both campaigns rely heavily on social engineering techniques tailored to their respective platforms. The delivery mechanisms exploit user trust in legitimate communications and applications to initiate compromise.
The infection chain was identified as follows:
Technical Capabilities:
Grandoreiro demonstrates advanced command-and-control evasion capabilities through its use of Web Real-Time Communication, Session Traversal Utilities for NAT, and Interactive Connectivity Establishment protocols. By disguising malicious communications as legitimate conferencing traffic, the malware significantly reduces the effectiveness of traditional firewall and network monitoring controls that do not perform deep packet inspection.
Its DLL side-loading functionality enables execution within trusted application processes, reducing the likelihood of detection by Endpoint Detection and Response platforms. According to ESET, Grandoreiro now targets financial institutions across 45 countries, reflecting a substantial expansion beyond its historical focus on Latin America and Southern Europe.
BTMOB RAT employs a modular architecture supported by an integrated APK builder that allows threat actors to rapidly generate customized malicious applications without technical expertise. Offered under a Malware-as-a-Service model, the platform follows the operational approach previously observed in threats such as CraxsRAT and CypherRAT.
The threat actor EVLF actively promotes and updates the malware through social media platforms, regularly enhancing functionality and compatibility. Version 4.5.5 includes improved APK protection mechanisms and enhanced compatibility with modern Android security controls, including Google Play protections.
Combined, these capabilities provide attackers with extensive credential theft, remote administration, banking fraud, surveillance, and device control functionality across both desktop and mobile environments.
Attribution and Evolution:
Grandoreiro has remained active since 2016, making it one of the most persistent banking trojans observed in the threat landscape. Although multiple operators were arrested during a coordinated Europol and Interpol operation in January 2024, the malware continues to evolve due to its modular architecture and Malware-as-a-Service operating model.
The current campaign demonstrates a continued shift toward stealthier execution techniques, including DLL side-loading and advanced communication channels.
BTMOB RAT is attributed to the threat actor EVLF, who has also been associated with CraxsRAT operations since 2021. The evolution of BTMOB reflects the broader trend of democratized cybercrime capabilities, where sophisticated malware frameworks are packaged and sold to a wide range of financially motivated actors through subscription-based models.
Active Campaign and Geographic Spread:
Grandoreiro has been observed targeting financial institutions across Spain, Portugal, and Mexico. Confirmed targets include Abanca, Banco de Portugal, BBVA Portugal, Caixa Geral de Depósitos, Santander, Revolut, and Wise.
BTMOB RAT primarily targets Android users in Brazil but possesses global expansion capabilities through its customizable APK builder, which enables operators to rapidly localize phishing lures and malicious applications for any region.
From a MENA perspective, organizations operating in the UAE and Gulf Cooperation Council countries remain exposed due to banking relationships with European institutions, employee access to international banking services, and widespread use of Android devices for corporate and personal banking activities.
The ability to rapidly generate region-specific lures means threat actors can easily create campaigns targeting UAE banking customers and financial applications with minimal effort, effectively reducing the barrier to conducting localized attacks throughout the region.
Conclusion:
Grandoreiro and BTMOB demonstrate the growing convergence of financial malware targeting both enterprise Windows environments and Android mobile devices. While Grandoreiro focuses on banking session hijacking and credential theft through browser injection techniques, BTMOB leverages Accessibility Services to achieve near-complete control of Android devices and banking applications.
The campaigns illustrate how financially motivated threat actors continue to adopt advanced evasion techniques, trusted software abuse, and Malware-as-a-Service business models to expand their reach and operational effectiveness.
Organizations should strengthen endpoint detection capabilities, monitor for DLL side-loading activity, restrict unauthorized Web Real-Time Communication traffic, enforce mobile device management controls, and closely monitor Accessibility Service usage on managed Android devices to reduce exposure to these evolving threats.
Successful Grandoreiro infections enable attackers to perform real-time banking credential theft, session hijacking, one-time password interception, and unauthorized transaction execution through compromised banking sessions. Victims may experience direct financial losses, account compromise, and unauthorized access to sensitive financial information.
A successful BTMOB infection provides attackers with full remote control over the Android device, including access to banking credentials, session cookies, Short Message Service-based authentication codes, screen content, keystrokes, and application activity. This level of access enables comprehensive financial fraud, identity theft, and surveillance activities.
For organizations operating in the UAE and wider MENA region, compromise of business banking credentials, customer financial data, or personally identifiable information may trigger regulatory obligations under applicable data protection frameworks, including UAE Personal Data Protection Law requirements. Financial losses resulting from fraudulent transactions represent the most immediate and significant business impact associated with both campaigns.
https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/
