Grandoreiro, one of the most active banking trojans operating globally since 2016, has resurfaced through fresh cyber campaigns targeting Portuguese banking institutions and businesses across Spain, Mexico, and several Latin American countries. Despite multiple law enforcement actions over recent years, including operations conducted by INTERPOL and regional authorities in Spain, Brazil, and Argentina during 2021 and 2024, the malware operation has remained active. Security researchers say only portions of the criminal infrastructure were disrupted, while remaining operators have continued launching attacks. Recent findings indicate that Grandoreiro remains highly organized, with attackers relying on phishing tactics and trusted cloud services to disguise malicious activity and maintain access to victim systems.
Researchers at WatchGuard reported detecting two active Grandoreiro campaigns involving different infection techniques but sharing the same objective of stealing banking credentials and compromising systems. One campaign relies on DLL Side Loading, where malicious dynamic link library files are disguised as legitimate software components to avoid detection. Security researchers identified four malicious DLL files, including libwebp.dll, mingw10.dll, libffi 6.dll, and libpng15.dll, all designed to imitate trusted software libraries. Built using Delphi 11, the malicious files include SGC WebSockets components associated with WebRTC technology, allowing attackers to disguise malicious communication as legitimate conferencing or network traffic. The malware connects to cloud platforms such as Google Cloud, Microsoft Azure, and Amazon Web Services using communication protocols like MQTT and cloud messaging systems, blending malicious activity into routine enterprise traffic. Researchers stated that phishing links act as the initial infection vector, redirecting victims to Dropbox hosted ZIP files containing the malicious payloads. By abusing trusted cloud services and file sharing platforms, attackers increase the likelihood of bypassing traditional security filters and delaying detection.
The malware also contains several anti analysis and evasion capabilities designed to avoid exposure during investigation or endpoint scanning. According to researchers, Grandoreiro checks for virtual environments, security tools, debugging software, and system configurations commonly used by analysts before executing its full malicious behavior. Investigators discovered that the malware searches for specific computer names and directory structures often associated with testing environments. It can also force browsers into kiosk mode, restricting user interaction to a fullscreen interface and limiting attempts to interrupt activity. Researchers additionally noted the presence of Chinese language strings embedded within portions of the code, though no attribution has been publicly confirmed. Beyond the DLL based operation, a second campaign identified by WatchGuard involves malicious VBS scripts distributed through geofenced phishing websites hosted on Contabo servers. These fake websites selectively display malicious content only to users in targeted geographic locations, making detection more difficult for researchers and automated scanners.
In the VBS based attacks, victims are directed to malicious MediaFire downloads containing heavily obfuscated scripts that install Grandoreiro onto infected systems. Once active, the malware displays a fake Adobe Reader update message to distract users while conducting system checks in the background. Researchers said the malware uses public IP lookup services to verify a victim’s geographic location and confirm the device is not running inside a research environment before activating. Once deployed, Grandoreiro is capable of stealing credentials, monitoring clipboard activity, logging keystrokes, and displaying fake banking interfaces to capture login information. WatchGuard warned that organizations relying solely on basic email filtering and endpoint protection may struggle to identify such attacks due to their use of trusted infrastructure and stealth techniques. Security experts emphasized the importance of layered visibility, behavioral detection, and continuous monitoring across users, endpoints, and cloud environments to reduce the risk posed by increasingly adaptive banking malware campaigns.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
