Security researchers at WatchGuard and ESET have documented coordinated malware campaigns using Grandoreiro and BTMOB to compromise both Windows workstations and Android devices across Latin America and Europe. The campaigns focus on small and medium-sized businesses in Spain, Portugal, Mexico, and Brazil—regions where infrastructure security maturity varies widely and where remote-work adoption has accelerated significantly.
The Threat Profile
Grandoreiro is a banking trojan designed to intercept credentials and banking sessions on Windows systems. BTMOB is a remote access trojan (RAT) targeting Android devices. Running parallel campaigns rather than sequential ones suggests the threat actors are either testing different vectors or targeting organisations where they know mobile and desktop environments are both in use.
The geographic focus is deliberate. Spain and Portugal are EU financial hubs; Mexico is a major commercial centre; Brazil has significant fintech activity. These regions also share a characteristic: many organisations still rely on ageing infrastructure, legacy applications, and workforces split between office and remote locations—exactly the conditions that favour trojan deployment.
Infection Vectors and Persistence
Banking trojans like Grandoreiro typically arrive via email phishing or malvertising, often masquerading as invoices, tax documents, or software updates. Once installed, they establish persistence by injecting into running processes or modifying startup configurations. The Android variant uses similar social engineering but may also exploit application permissions on devices where staff have sideloaded non-Play Store applications.
The critical insight for infrastructure teams: infection rarely stops at a single workstation. Once inside, trojans can move laterally to internal systems, particularly if network segmentation is weak or credentials are reused across multiple accounts. In organisations running on-premises banking software or financial backends, a compromised frontend workstation becomes a bridgehead.
Detection and Mitigation
Endpoint detection and response (EDR) tools are the first line of defence, but they require proper tuning and staff training to use effectively. Many SMBs lack dedicated security operations centres (SOCs), meaning alerts either pile up unreviewed or trigger false-positive fatigue. Network monitoring for unexpected outbound connections, particularly to non-standard ports, is cheaper and often more reliable than relying on EDR alone.
Authentication hardening is equally important. Multi-factor authentication (MFA) on email accounts prevents attackers from lateral-moving via compromised credentials. Similarly, administrative accounts should never use the same password or authentication method as standard users—a discipline that costs nothing but is routinely neglected.
For organisations hosting financial or banking infrastructure, the question becomes tighter: can your hosting environment support network isolation? Can you deploy application-level monitoring that detects unusual behaviour (like bulk credential harvesting) without adding latency? If you're managing critical financial systems, a dedicated infrastructure provider with DDoS mitigation and security monitoring is worth the investment, particularly if you're in a jurisdiction where compliance requirements demand audit trails.
Lessons for Infrastructure Planning
These campaigns remind infrastructure teams that security is not primarily a perimeter problem. Trojans assume the perimeter has already been breached—they're after what happens inside. The real defence is process discipline: inventory all systems touching financial data, enforce credential rotation, log administrative activity, and test incident response regularly.
Organisations in regions targeted by these campaigns should also assume they're under sustained reconnaissance. Treat each phishing email as an indicator that threat actors are actively probing your attack surface. Assume that some staff will click. Plan your detection and response accordingly.
For more details on the technical findings, WatchGuard and ESET's analysis is available via The Hacker News.
