The Grandoreiro malware—a long-standing banking trojan active since 2016—has returned with new campaigns targeting financial institutions and businesses across Europe and Latin America.
Recent threat intelligence reveals that attackers are focusing on Portuguese banks alongside organizations in Spain, Mexico, and other Latin American regions. Despite years of law enforcement crackdowns, including coordinated actions by INTERPOL, the threat actor ecosystem behind Grandoreiro remains active and evolving.
The latest campaigns highlight how resilient and adaptive banking malware has become, blending phishing, cloud infrastructure abuse, and stealth execution techniques to evade detection.
Key Details
Security researchers have identified two active Grandoreiro campaigns currently in circulation. Both rely heavily on phishing as the initial attack vector, using deceptive links to lure victims into downloading malicious payloads.
What makes these campaigns particularly concerning is their use of legitimate cloud platforms—including:
- Google Cloud
- Microsoft Azure
- Amazon Web Services (AWS)
By routing command-and-control (C2) communications through trusted infrastructure, attackers effectively hide malicious traffic within normal network activity, making detection far more difficult.
The campaigns also reveal a specific focus on financial institutions. The malware contains hardcoded references to over 20 Portuguese banks such as:
- Caixa Geral de Depósitos
- Millennium BCP
- Novobanco
- Santander
Additionally, digital banking platforms like Revolut and Wise are included in the targeting scope.
Technical Analysis
DLL Side-Loading Campaign
The first campaign uses a DLL side-loading technique, a well-known attack method where malicious libraries are executed by legitimate applications.
Four malicious DLL files have been observed:
- libwebp.dll
- mingw10.dll
- libffi-6.dll
- libpng15.dll
These files are disguised as legitimate dependencies and compiled using Delphi 11. They leverage WebRTC-based communication through SGC WebSockets, enabling network traffic to resemble legitimate real-time communication flows such as video calls.
Each DLL connects to a different cloud provider:
- Google Cloud Pub/Sub for data exchange
- Microsoft Azure using MQTT protocol
- Amazon cloud infrastructure using MQTT
This distributed architecture enhances resilience and complicates tracking.
The malware also incorporates advanced anti-analysis techniques, including:
- Detection of virtual machines and sandbox environments
- Identification of debugging tools and security software
- Checks for known analyst system artifacts
In some cases, the malware forces browsers into Kiosk Mode, locking users into a fullscreen environment to prevent interruption during execution.
VBS-Based Campaign
The second campaign uses a heavily obfuscated Visual Basic Script (VBS) as the delivery mechanism.
Victims are redirected to a fake webpage hosted on compromised or rented infrastructure, often geofenced to only display for users in specific countries.
Once executed, the VBS script:
- Downloads and installs the malware payload
- Displays a fake Adobe Reader update as a decoy
- Performs system checks using WMI to detect antivirus tools
- Queries IP-based geolocation services to validate the target
After validation, Grandoreiro activates its core functionality, which includes:
- Keystroke logging
- Clipboard monitoring
- Credential harvesting
- Banking session hijacking via fake overlays
Impact and Risks
The resurgence of Grandoreiro presents a serious financial and operational risk.
For Individuals:
- Theft of banking credentials
- Unauthorized financial transactions
- Exposure of personal and financial data
For Businesses:
- Compromise of corporate banking access
- Financial fraud and operational disruption
- Potential regulatory implications for data breaches
For Financial Institutions:
- Increased fraud activity
- Account takeover incidents
- Strain on fraud detection systems
The use of trusted cloud infrastructure significantly increases the difficulty of detecting these attacks, prolonging dwell time and increasing damage potential.
Expert Recommendations
To defend against Grandoreiro and similar banking trojans, organizations must adopt a multi-layered security approach.
For Individuals:
- Avoid clicking on unsolicited email links or attachments
- Verify download sources before opening files
- Enable multi-factor authentication (MFA) for banking services
- Keep browsers and endpoints updated
For Enterprises:
- Deploy advanced endpoint detection and response (EDR) solutions
- Monitor for abnormal cloud traffic patterns
- Implement behavior-based detection rules in SIEM systems
- Restrict execution of scripts such as VBS where not required
For Security Teams:
- Monitor known IoCs such as malicious domains, IPs, and DLL file names
- Inspect encrypted traffic for anomalies
- Strengthen phishing detection and user awareness programs
Industry Context
Grandoreiro is part of a broader wave of Latin American banking trojans, alongside malware families like Mekotio and Casbaneiro.
These threats have evolved from region-specific campaigns into global operations, increasingly targeting European markets.
A key shift is the adoption of living-off-the-land techniques and trusted infrastructure abuse, allowing attackers to bypass traditional perimeter defenses.
As financial services continue to digitize, banking trojans are becoming more modular, stealthy, and persistent—making them one of the most enduring threats in the cybercrime landscape.
Conclusion
The resurgence of Grandoreiro demonstrates that takedown operations alone are not enough to eliminate established cybercriminal networks.
By combining phishing, cloud-based evasion, and advanced malware techniques, attackers are maintaining pressure on banks and businesses across multiple regions.
As this threat continues to evolve, proactive detection, user awareness, and layered security defenses will be critical in mitigating financial cyber risks.
FAQ SECTION
What is Grandoreiro malware?
Grandoreiro is a banking trojan that steals financial credentials, monitors user activity, and enables fraud through account takeover.
How does Grandoreiro spread?
It primarily spreads via phishing emails and malicious links that lead to downloading infected files or scripts.
What is DLL side-loading in cyber attacks?
DLL side-loading is a technique where attackers load malicious DLL files through legitimate applications to execute malware.
Why do attackers use cloud platforms in malware campaigns?
Cloud platforms help attackers hide malicious traffic within normal network activity, making detection more difficult.
How can organizations detect Grandoreiro attacks?
Using behavioral analytics, endpoint monitoring, and threat intelligence integration helps identify suspicious activity linked to banking trojans.
