Cybersecurity researchers have uncovered, sort of two ongoing malware operations aimed at both Windows and Android users across Latin America as well as Europe. The whole thing seems to connect to the Grandoreiro banking trojan and the BTMOB Android remote access trojan (RAT). In both cases, the goal is basically the same: steal money-related info, credentials, and other sensitive user data, you know, the usual stuff, just deployed in different ways.
Researchers state the Grandoreiro activity is reaching organizations and banking users in countries like Portugal, Spain, and Mexico. Supposedly, the malware leans a lot on phishing emails and DLL side-loading techniques to dodge detection and then trigger malicious code once the machine is compromised.
The attackers reportedly made use of legitimate software elements and normal communication libraries, to mask the nasty traffic. They tuck it inside what looks like ordinary web conferencing behavior, along with peer-to-peer communication patterns. Because of that mix, traditional security monitoring tools may struggle, since the malicious flow doesn’t stand out easily.
Grandoreiro has apparently stayed in the game for years, despite law enforcement pressure and infrastructure take-downs. More recent samples were seen using anti-analysis tricks, CAPTCHA verification, and cloud-hosted payload delivery systems. All of that is meant to boost stealth and keep persistence going longer than it should.
Meanwhile, researchers also flagged an increase in activity around BTMOB, an Android RAT that surfaced in 2025. This malware is set up to remotely control infected devices, grab banking credentials, collect screenshots, and record keystrokes. It also abuses Android accessibility services for deeper system access, and yeah, that part makes it even harder to counter.
BTMOB is apparently being pushed around via fake sites that kind of act like streaming platforms, crypto services, and even fake Google Play Store pages. So, victims end up being lured into downloading malicious APKs, which then go on to install the malware onto their devices, quietly.
Researchers have also pointed out that BTMOB is offered through a malware-as-a-service setup, so even low-skilled cybercriminals can start campaigns using prebuilt attack resources and APK builders. That basically makes it easier, like a lower threshold, for mobile-focused cybercrime to get going fast.
These campaigns show, in a sort of broader way, how today’s banking malware keeps getting more discreet, more modular, and more commercially reachable. Attackers now mix phishing tricks, cloud-based tools, browser misuse, mobile malware, and remote access utilities, turning everything into theft operations that are highly flexible and easy to adapt.
Cybersecurity groups like IntelligenceX keep stressing phishing awareness, mobile safety, safer application habits, and ongoing threat monitoring. Because as banking malware keeps evolving, it keeps spreading across desktop and mobile environments, at the same time, more often than before
Top comments (0)