Grandoreiro Malware Targets Portuguese Banks & LatAm Firms
Grandoreiro, a banking trojan quietly active since 2016, is once again making headlines. This globally widespread malware has resurfaced with fresh campaigns, now specifically targeting Portuguese...
Grandoreiro, a banking trojan quietly active since 2016, is once again making headlines. This globally widespread malware has resurfaced with fresh campaigns, now specifically targeting Portuguese banks and businesses across Spain, Mexico, and Latin America, as detailed in a The attacks are sophisticated, well-organized, and show no sign of slowing down. Grandoreiro has survived years of law enforcement pressure.
Despite joint operations between INTERPOL and local agencies that led to arrests in Spain, Brazil, and Argentina in 2021 and 2024, only part of the criminal gang was taken down. The rest kept going, and their latest activity proves that this threat is far from over.
Researchers at WatchGuard said in a report shared with Cyber Security News (CSN) that their telemetry detected two active Grandoreiro campaigns, one using a technique called DLL Side-Loading and another using a malicious VBS script to deliver the malware.
Both campaigns rely on phishing as the entry point, tricking victims into clicking links that eventually drop the malware onto their machines.
The campaigns are notable not just for what they target, but for how they operate. The attackers are using cloud platforms like Google Cloud, Microsoft Azure, and Amazon to blend malicious traffic into everyday network activity.
Since the web conferencing traffic is common and often goes unmonitored, hiding inside it gives the attackers a strong advantage.
The impact extends well beyond individual victims. With hardcoded references to more than 20 banks in Portugal, including Caixa Geral de Depositos, Millennium, Novobanco, and Santander, as well as services like Revolut and Wise, the scope of potential damage is wide.
Businesses and banking customers across multiple countries face real financial risk.
Hackers Use Grandoreiro Malware
The first campaign uses a technique known as DLL Side-Loading, where four malicious DLL files, libwebp.dll, mingw10.dll, libffi-6.dll, and libpng15.dll, are disguised as legitimate software components.
These files were built using Delphi 11 and contain SGC WebSockets components linked to WebRTC, a widely trusted real-time communication protocol. The idea is straightforward: malicious traffic that looks like normal video call data becomes much harder to detect.
Each malicious DLL connects to a different cloud provider. One uses Google Cloud Pub/Sub, another uses Microsoft Azure with MQTT protocol, and a third connects to Amazon also via MQTT.
The malware is delivered through phishing links that redirect victims to Dropbox, where a ZIP file containing the malicious DLL is downloaded. This misuse of trusted platforms is deliberate and makes detection especially difficult.
The code also includes aggressive anti-analysis features. The malware checks for debugging tools, virtual environments, and installed security software before it fully executes.
It looks for specific computer names and directory paths commonly used by analysts, and it can force the browser into Kiosk Mode, locking the screen to a single fullscreen window. Strings written in Chinese were also found embedded in the code.
Malicious VBS and Geofenced Delivery
The second campaign takes a different but equally deceptive approach. Victims are directed to a fake web page hosted on Contabo servers, geofenced to show only to users in targeted regions.
The page links to a file on Mediafire, which, once downloaded, runs a heavily obfuscated VBS script that installs the malware on the victim’s machine.
Once the malware runs, it displays a fake Adobe Reader update message to keep the victim distracted while it performs checks in the background.
It queries the victim’s location using a public IP lookup service, verifies the machine is not a research environment, and then proceeds to steal credentials, log keystrokes, monitor the clipboard, and display fake banking overlays to capture login details.
WatchGuard researchers recommend that organizations move beyond basic email security and endpoint tools.
Layered visibility, behavioral detection, and continuous monitoring across users, devices, and cloud infrastructure are essential to catching these attacks early. Banking trojans like Grandoreiro are getting better at blending in, and surface-level defenses alone will not be enough to stop them.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | uniaodownloadcnk[.]online | Phishing delivery domain created February 2026; used to host malicious ZIP files |
| Domain | vmi<7-digit-number>[.]contaboserver[.]net | Contabo VPS infrastructure abused for malicious link delivery and geofenced fake pages |
| Domain | <random-name>.byethost<num>.com | C2 infrastructure pattern used by Grandoreiro operators |
| Domain | dropbox[.]com / dropboxusercontent[.]com | Legitimate service abused to host and deliver malicious ZIP files |
| Domain | mediafire[.]com | Legitimate service abused to host malicious VBS payload |
| IP Address | 162[.]33[.]177[.]150 | Grandoreiro C2 server |
| URL | hxxp://ip-api[.]com/json | Geolocation lookup used by malware to verify victim location before execution |
| File Name | libwebp.dll | Malicious DLL used in DLL Side-Loading with FastStone Image Viewer |
| File Name | mingw10.dll | Malicious DLL used in DLL Side-Loading with MinGW compiler suite |
| File Name | libffi-6.dll | Malicious DLL used in DLL Side-Loading with FreeMat |
| File Name | libpng15.dll | Malicious DLL used in DLL Side-Loading with AbiWord |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.