Grandoreiro Malware Campaign Targets Portuguese Banks and Latin American Companies

Grandoreiro, a long-running banking trojan active since at least 2016, is back in new campaigns targeting banks in Portugal and companies across Spain, Portugal, Mexico, and Latin America. The latest activity uses phishing links, DLL side-loading, malicious VBS scripts, cloud services, and WebRTC-related traffic to hide banking malware inside activity that can look normal on business networks.

WatchGuard says its telemetry found two Grandoreiro-linked campaigns. One abuses four DLL files through side-loading, while the other uses an obfuscated VBS script to install the malware after victims visit a fake, geofenced page.

The threat matters because Grandoreiro has survived past law enforcement pressure. INTERPOL said Brazilian authorities arrested five administrators behind a Grandoreiro operation in January 2024, but recent research shows operators and related campaigns continue to evolve.

Grandoreiro Still Targets Banks Despite Previous Takedowns

Grandoreiro is designed to steal banking credentials and support financial fraud. Once installed, it can monitor user activity, capture keystrokes, watch the clipboard, display fake banking overlays, and help attackers interact with financial sessions from the victim’s machine.

IBM X-Force previously reported that newer Grandoreiro variants targeted more than 1,500 banking applications and websites in over 60 countries. That broader targeting shows why the latest activity in Portugal and Latin America should not be treated as an isolated regional campaign.

Past research from Kaspersky’s Securelist also described Grandoreiro as a fragmented threat with multiple versions, evolving operators, and new evasion tricks. That history helps explain why arrests and infrastructure disruption reduced some activity without ending the malware family.

How the Latest Grandoreiro Campaign Works

The first campaign uses DLL side-loading, a technique where attackers place malicious DLL files next to legitimate software so the trusted program loads the attacker’s code. In this case, the files include libwebp.dll, mingw10.dll, libffi-6.dll, and libpng15.dll.

According to WatchGuard’s analysis, the DLLs were built in Delphi and include WebRTC-related components. Some samples reference Google Cloud Pub/Sub, Microsoft Azure with MQTT, and Amazon services, allowing malicious traffic to blend into cloud and real-time communication patterns.

The second campaign relies on phishing links that send victims to a fake page hosted on abused Contabo infrastructure. That page points to a malicious file hosted on Mediafire. Once downloaded, an obfuscated VBS script runs and drops the malware while showing a fake Adobe Reader update message to distract the victim.

Key Techniques Used in the Campaign

Technique	How it is used	Why it matters
Phishing links	Victims receive links that lead to malware delivery pages	Users may trust the link if it appears tied to a document or update
DLL side-loading	Malicious DLLs load through legitimate software	Security tools may miss the malicious code at first glance
Cloud service abuse	Attackers reference Google Cloud, Azure, Amazon, Dropbox, and Mediafire	Traffic can look like normal business or cloud activity
WebRTC-related traffic	Malware uses components tied to real-time communication	Defenders may struggle to separate malicious traffic from conferencing traffic
Anti-analysis checks	The malware checks for debuggers, sandboxes, tools, and security products	Researchers and automated scanners may see limited behavior
Fake banking overlays	Victims may see fake login prompts on top of real banking sessions	Attackers can steal credentials and session details

Portuguese Banks and Financial Services Are in Scope

The DLL-side-loading campaign includes hardcoded references to financial institutions operating in Portugal. The list includes Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Millennium, Novobanco, Santander, and others. Financial services such as Revolut and Wise also appear in the code.

This does not mean every named institution was breached. It means the malware contains logic or references that suggest customers or business users tied to these services may face targeted credential theft attempts.

IBM’s research found that Grandoreiro campaigns often begin with phishing emails impersonating trusted organizations, including government and utility-related entities. That fits the current pattern, where the initial infection still depends on social engineering rather than a direct system exploit.

Why Grandoreiro Is Harder to Detect

Grandoreiro operators keep improving their delivery methods. The current campaigns use trusted cloud and file-sharing platforms, fake update prompts, geofenced web pages, and anti-analysis checks. This creates several layers between the first click and the final banking trojan payload.

The malware also checks the victim’s environment before continuing. It can look for virtual machines, debugging tools, research paths, security products, and system details that may indicate analysis. If the system looks suspicious, the malware can stop or change behavior.

Kaspersky analysis previously found that Grandoreiro variants added new tricks such as updated domain generation algorithms, mouse behavior tracking, and stronger evasion logic. The latest campaigns continue that broader pattern of adaptation.

How Organizations Can Reduce the Risk

Organizations in Portugal, Spain, Mexico, and Latin America should treat Grandoreiro as a banking fraud and credential theft risk. Email filtering still helps, but it is not enough when attackers route payloads through familiar platforms and hide command-and-control traffic inside cloud-like patterns.

• Train staff to report unexpected links, ZIP files, and document download prompts.
• Block or inspect suspicious script execution, especially VBS files from downloads.
• Monitor unusual access to Dropbox, Mediafire, Contabo-hosted pages, and unknown delivery domains.
• Look for abnormal DLL loading behavior in legitimate desktop software.
• Use endpoint detection that can identify credential theft, overlay behavior, and keylogging.
• Review banking session activity and alert on unusual transaction behavior.
• Use multi-factor authentication for banking, email, and cloud accounts.

The INTERPOL-backed disruption showed that law enforcement can weaken Grandoreiro operations, but the malware’s return shows why banks and companies still need layered defenses. Grandoreiro remains active because its operators keep changing infrastructure, delivery methods, and targeting.

For users, the safest approach is to avoid opening unexpected banking, invoice, tax, or document links. If a page asks to download a file or run an update before viewing a document, it should be treated as suspicious.

FAQ