← All articles

Grandoreiro banking trojan and BTMOB Android RAT hit Iberia and Latin America - DLL side-loading, WebRTC P2P, targets Wise and Revolut

WatchGuard and ESET have documented two parallel banking-malware campaigns hitting Windows and Android users across Iberia and Latin America. The Windows campaign delivers Grandoreiro - an actively evolving banking trojan operating since 2016 that targets thousands of institutions across 45 countries - via DLL side-loading of four legitimate applications, using Delphi 11-built DLLs that abuse the sgcWebSockets library for WebRTC peer-to-peer C2 over STUN and ICE protocols to blend with web-conferencing traffic. Named targets include Abanca, Banco de Portugal, BBVA PT, Caixa Geral, Santander, plus Revolut and Wise. A companion campaign delivers the BTMOB RAT to Android users in Brazil.

Check
Hunt Windows endpoints for DLL side-loading of mingwm10.dll, libwebp.dll, libffi-6.dll, or libpng15.dll. Inspect outbound WebRTC/STUN/ICE traffic to unexpected peers. Check for Delphi-built DLLs.
Affected
Banking customers and finance staff in Spain, Portugal, Mexico (Windows/Grandoreiro) and Brazil (Android/BTMOB). Named targets include Abanca, Santander, Banco de Portugal, Revolut, and Wise.
Fix
Apply WatchGuard and ESET IoCs. Block known C2 peers. Train finance staff against phishing links delivering ZIP archives. Deploy mobile threat defense on Android devices accessing banking apps.