Coordinated Banking Trojan Campaign Targets Latin America and Europe with Grandoreiro and BTMOB RAT
Two coordinated banking trojan campaigns deliver Grandoreiro malware to Windows systems and BTMOB RAT to Android devices across Spain, Portugal, Mexico, and Brazil. The targeting of financial institutions and mobile users suggests organised cybercriminal activity with cross-platform capabilities.
Affected
WatchGuard and ESET have documented an active campaign distributing banking trojans across both Windows and Android platforms, with geographic focus on Latin America and Europe. The use of two distinct malware families (Grandoreiro for Windows, BTMOB RAT for Android) indicates coordinated threat actors with platform-specific development capacity and understanding of regional financial infrastructure.
Grandoreiro is a known banking trojan family historically associated with Latin American financial fraud; its redeployment alongside BTMOB suggests the threat actors are consolidating their operational infrastructure. BTMOB RAT capabilities on Android are particularly concerning because mobile banking remains a significant vector for credential theft in the affected regions, and Android security models have traditionally lagged behind enterprise endpoint protections.
The targeting pattern indicates reconnaissance against specific financial entities rather than mass opportunistic distribution. Companies in Spain and Portugal represent higher-value targets with stronger regulatory compliance requirements, whilst Mexican and Brazilian operations likely focus on volume-based fraud given the prevalence of mobile banking in those markets. The dual-platform approach suggests the actors are building comprehensive profiles of target organisations and their employees' devices.
Defenders in affected jurisdictions should implement elevated monitoring for Grandoreiro signatures and BTMOB command-and-control communications. Financial institutions must enforce multi-factor authentication beyond SMS, strengthen endpoint detection and response (EDR) telemetry collection, and conduct staff security awareness on banking trojan distribution vectors (malware typically arrives via phishing or malicious downloads). Mobile device management (MDM) policies should enforce application whitelisting and restrict sideloading on Android systems used by staff with banking access.
This campaign demonstrates the maturation of regional cybercriminal operations that now field cross-platform capabilities and operational discipline. The geographic clustering suggests actors with established distribution networks in these regions rather than opportunistic attackers, which implies sustained activity over months or years ahead.
Sources