Grandoreiro and BTMOB RAT: Two Parallel Malware Campaigns Targeting Windows and Android
While the security community continues to monitor the rise of emerging threats, two entirely separate malware campaigns have been running in parallel, targeting both Windows and Android users across Latin America and Europe. On one side is Grandoreiro — a veteran banking trojan that has been active since 2016 and continues to evolve its techniques — and on the other is BTMOB RAT, a next-generation Android Remote Access Trojan sold under a Malware-as-a-Service model complete with a zero-code APK builder interface. The two threats originate from separate reports by WatchGuard and ESET respectively, but together they illustrate a clear trend: cybercriminals are becoming increasingly skilled at hiding within the traffic and services that organizations already trust.
Grandoreiro — The Banking Trojan That Refuses to Die
History and Alarming Persistence
Grandoreiro is not a new name in the threat intelligence community. This banking malware has been operating continuously since 2016 and is capable of stealing credentials linked to thousands of financial institutions across 45 countries and territories. What is more notable than its age, however, is its adaptability. Despite Brazilian authorities attempting to dismantle Grandoreiro's infrastructure in early 2024, the campaign continued to expand its targeting scope and integrate new anti-analysis mechanisms such as CAPTCHA verification.
The latest version identified by WatchGuard continues to be distributed via classic phishing emails — victims receive messages containing malicious links disguised as important notifications, are lured into clicking them, and from that point the infection chain begins. This is evidence that even an attack vector that has existed for decades remains effective when combined with newer techniques at later stages of the chain.
DLL Side-Loading and WebRTC Traffic Camouflage
The most technically noteworthy aspect of the latest campaign is its use of DLL Side-Loading — a technique that allows attackers to load a malicious DLL by abusing a legitimate process already running on the system. According to WatchGuard, this campaign abuses four different software applications through this method. Two DLLs in particular stand out: mingwm10.dll and libwebp.dll, both of which embed the sgcWebSockets library — a WebSocket and real-time communication framework — to establish P2P and WebRTC communication channels with the attacker's C2 infrastructure.
The use of WebRTC is not accidental. According to WatchGuard's analysis, WebRTC traffic is inherently "noisy" and difficult to monitor because it underpins most popular video conferencing applications such as Google Meet, Zoom, and Microsoft Teams. By deliberately hiding C2 traffic within the exact type of traffic that most organizations have already whitelisted or least scrutinize in their network monitoring systems, the attackers significantly reduce their risk of detection.
The other two DLLs — libffi-6.dll and libpng15.dll — use the ICE (Interactive Connectivity Establishment) protocol instead of STUN to achieve the same goal of establishing P2P connections across NAT boundaries. These files hardcode references to a list of banks and financial institutions operating in Portugal, including Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, Revolut, and Wise — indicating this is a highly targeted campaign rather than an indiscriminate mass attack.
Second Campaign Variant: VBScript, Mediafire, and Fake Adobe Reader
WatchGuard also identified a parallel Grandoreiro campaign using a different delivery vector. The phishing emails in this variant direct victims to a ZIP file hosted on Mediafire — a legitimate cloud storage service, which helps bypass URL filtering systems. Inside the ZIP is a heavily obfuscated Visual Basic Script (VBS) that launches an executable impersonating an Adobe Reader update notification and prompting the user to click a confirmation button.
Once the victim clicks, a series of anti-analysis and anti-sandbox checks are triggered before the final payload is deployed to steal banking credentials and other sensitive data. WatchGuard confirmed that several tactics in this campaign overlap with a previous Grandoreiro campaign that Kaspersky analyzed in detail in October 2024.
BTMOB RAT — A Next-Generation Android Weapon via MaaS
Origin and Attack Capabilities
While Grandoreiro targets Windows, a separate threat is aimed squarely at Android devices. BTMOB RAT was first documented in February 2025 and is considered the successor to earlier malware families including CraxsRAT, CypherRAT, and SpySolr. Unlike traditional banking trojans that focus narrowly on financial credentials, BTMOB gives attackers comprehensive control over the victim's device through a broad capability set:
Remote device unlock without any user interaction
Screen capture and real-time activity recording
Keylogging — recording all keyboard input
HTML Injection — automatically overlaying fake forms at the exact moment a targeted application is opened, stealing credentials in context
Full remote device takeover
Alipay PIN harvesting — a capability added in a subsequent update
MaaS Distribution Model and Zero-Code APK Builder
What truly defines BTMOB's danger is not just its technical capabilities but how it is commercialized. BTMOB is sold by a threat actor operating under the name EVLF (alias @craxso) through a Malware-as-a-Service model at multiple pricing tiers: \(700/month, \)1,200 lifetime license, or $7,000 for the full C2 server source code for customers who wish to self-host their own infrastructure.
Included in the offering is an APK builder interface — a graphical tool that allows buyers to generate new payloads and customize phishing lures for specific geographic regions without writing a single line of code. This means the barrier to entry for cybercriminals with no technical background has dropped to an extremely low level — anyone willing to pay can deploy a fully functional Android RAT campaign in a very short time.
As of May 2026, BTMOB has been updated to version 4.5.5, with a focus on strengthening APK protection and ensuring compatibility with the latest Google Play security updates. An X account believed to be associated with the malware's author posted on May 1, 2026: "This update focuses on speed and stability. We have expanded infrastructure and refined the builder to help you stay ahead of the latest mobile security patches."
Infection Mechanism and Accessibility Services Abuse
BTMOB's infection chain begins with familiar social engineering: victims receive links to fake websites impersonating streaming services, cryptocurrency mining platforms, or other popular online services. From there, they are directed to "fake app stores" mimicking the Google Play Store interface, convincing them to install a malicious APK file.
Once installed, BTMOB immediately requests access to Android Accessibility Services — a legitimate mechanism designed to assist users with disabilities, but also the most frequently abused target by Android malware because it allows an application to observe and interact with the entire system UI. Once Accessibility Services permission is granted, BTMOB self-grants additional system permissions without requiring any further interaction from the user — at which point the device is effectively under full attacker control.
Leak Risk and the Secondary Market Threat
In January 2026, a dark web forum claimed to offer BTMOB-related files for free download. The forum subsequently went offline and ESET was unable to collect specific payloads from this event. However, in December 2025, Italian cybersecurity firm D3Lab published an analysis of a leaked BTMOB development toolkit, confirming that it included the Android payload source code, dropper, builder environment, Windows operator panel, C2 backend, and all necessary software dependencies required to deploy the full platform.
This introduces a serious risk that ESET describes as "secondary market risk" — even if the original author maintains strict control over license sales, once source code has been leaked, it can circulate through multiple channels: resale, trading in private groups, or forking into new copycat variants. The history of CraxsRAT and SpySolr — BTMOB's predecessor malware families — demonstrates that this is a familiar cycle within the MaaS ecosystem.
Strategic Analysis and Defensive Implications
The "Hiding in Trusted Traffic" Trend
From a strategic analysis perspective, the most notable common thread between these two entirely different campaigns is a shared attack philosophy: hiding within what is already trusted. Grandoreiro uses WebRTC and web conferencing traffic to camouflage its C2 communications. BTMOB abuses Accessibility Services — a legitimate OS feature — to escalate privileges. Both leverage legitimate cloud services (Mediafire for hosting, Telegram for MaaS distribution) to avoid being blocked by domain reputation-based classification systems.
WatchGuard summarized it precisely: "The larger story here isn't just that Grandoreiro is still active. It's that financially motivated threat groups continue to adapt quickly, reuse legitimate services, and hide within traffic patterns that many organizations may have already trusted."
Defensive Recommendations
For SOC and Blue Team practitioners, these two campaigns offer several practical detection and mitigation directions:
Monitor DLL Side-Loading: Build detection rules for legitimate processes loading DLLs from unusual paths or DLLs not present in a known signed-binary inventory.
Analyze WebRTC/STUN traffic: Establish a behavioral baseline for legitimate WebRTC traffic within the organization and alert when STUN/ICE connections originate from processes unrelated to approved conferencing applications.
APK installation policy: In enterprise environments, enforce that users only install applications from the official Google Play Store and disable the permission to install APKs from unknown sources.
Monitor Accessibility Services requests: Configure alerts to trigger immediately when a newly installed application requests Accessibility Services — this is extremely anomalous behavior for any legitimate standard application.
MaaS threat intelligence: Monitor Telegram channels, X accounts, and underground forums where BTMOB and its variants are advertised, in order to collect updated IOCs before new campaigns are deployed.
IOCs
Grandoreiro — Windows Campaign
| IOC Type | Value | Notes |
|---|---|---|
| Defining technique | DLL Side-Loading via 4 software applications | Uses both STUN and ICE protocols |
| Malicious DLLs | mingwm10.dll, libwebp.dll |
Embed sgcWebSockets library for WebRTC/P2P C2 |
| Additional DLLs | libffi-6.dll, libpng15.dll |
Use ICE protocol; hardcode Portuguese bank names |
| Distribution hosting | Mediafire (cloud storage) | Used to bypass URL reputation filters |
| Attachment type | ZIP containing obfuscated VBScript | Disguised as Adobe Reader update notification |
| Targeted banks | Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, Revolut, Wise | Hardcoded in DLLs of the Portuguese-focused campaign |
| Payload language | Delphi 11 | Common in Latin America-targeting malware |
BTMOB RAT — Android Campaign
| IOC Type | Value | Notes |
|---|---|---|
| ESET detection names | MSIL/BtmobRat, Android/Spy.Agent.EED, Android/Spy.Agent.EIJ, Android/Spy.Agent.EIK |
Official ESET detection identifiers |
| Threat actor | EVLF / @craxso |
BTMOB RAT seller; advertises via Telegram and X |
| Current version | BTMOB v4.5.5 (May 2026) | Focused on APK protection and Google Play compatibility |
| Pricing | \(700/month, \)1,200 lifetime, $7,000 full source | Multi-tier MaaS model |
| C2 infrastructure | arbsniper.com |
Domain associated with BTMOB infrastructure |
| Associated IP addresses | 178.156.177.192, 191.101.131.250, 195.160.221.203, 104.21.64.137 |
Partial list from ESET's IOC report |
| Primary target regions | Brazil, Latin America, Argentina | Campaigns impersonate Argentine tax and customs authorities |
| Infection method | Fake streaming/crypto app → Fake Google Play → Malicious APK | Complete end-to-end phishing chain |
| Privilege escalation mechanism | Android Accessibility Services abuse | Self-grants additional system permissions without user interaction |
| Predecessor families | CraxsRAT, CypherRAT, SpySolr | BTMOB is the successor to these malware families |
