A banking trojan that has stubbornly outlasted multiple international law enforcement operations is back — and more technically sophisticated than ever. Grandoreiro, a Delphi-based banking malware first observed in 2016, has resurfaced with fresh, dual-pronged attack campaigns specifically targeting major Portuguese banks and financial institutions across Spain, Mexico, and Latin America, according to new research from WatchGuard Technologies.
Despite joint takedown efforts by INTERPOL and local agencies that led to arrests in Spain, Brazil, and Argentina in both 2021 and 2024, the criminal operation behind Grandoreiro was never fully dismantled. The threat actors who remained at large have now returned with upgraded tactics, more resilient infrastructure, and hardened evasion techniques.
Campaign One: DLL Side-Loading Through Cloud Platforms
The first campaign leverages a technique known as DLL Side-Loading, placing malicious DLL files alongside legitimate applications. The campaign uses four malicious DLLs — libwebp.dll, mingw10.dll, libffi-6.dll, and libpng15.dll — built with Delphi 11 and embedded with SGC WebSockets components tied to WebRTC. The choice of WebRTC is calculated: it makes malicious traffic indistinguishable from legitimate real-time video conference data, drastically reducing the likelihood of network-level detection.
Each malicious DLL connects outbound to a different major cloud provider. One communicates via Google Cloud Pub/Sub, another connects to Microsoft Azure using MQTT protocol, and a third routes through Amazon Web Services also via MQTT. Since traffic to these cloud platforms is nearly universally whitelisted in corporate firewalls and security tools, the malware can exfiltrate data and receive commands with minimal interference.
Delivery begins with a phishing email containing a link that redirects victims to Dropbox, where a ZIP file containing the malicious DLL is hosted. Using Dropbox as a staging point adds another layer of implicit trust — many security solutions treat Dropbox traffic as benign.
The malware also incorporates aggressive anti-analysis capabilities. It checks for debugging tools, virtual machines, sandboxing environments, and installed security software before executing its payload fully. Analysts discovered strings written in Chinese embedded within the code — a detail that may hint at the threat actor’s origin or be a deliberate misdirection. When the malware detects a security researcher environment, it can force the victim’s browser into Kiosk Mode, locking the screen to prevent the victim from navigating away from a fraudulent banking login page.
Campaign Two: Obfuscated VBS Script With Geofencing
The second campaign takes a different but equally deceptive path. Victims are sent phishing links that redirect to a fake web page hosted on Contabo VPS infrastructure, but with a critical twist: the page is geofenced, meaning it only displays malicious content to users whose IP addresses resolve to the targeted regions in Portugal, Spain, or Latin America. Visitors from outside these geographies see nothing suspicious.
The page instructs visitors to download a file from Mediafire, another trusted file-hosting platform. The downloaded file contains a heavily obfuscated VBS script that, once executed, installs the Grandoreiro payload on the victim’s machine. To keep victims distracted and unsuspecting during the infection, the malware displays a fake Adobe Reader update dialog — a classic misdirection technique.
Once running, Grandoreiro performs a geolocation check via a public IP lookup service to verify the machine is in a targeted region. It also queries Windows Management Instrumentation (WMI) to enumerate installed antivirus products, allowing it to tailor its evasion behavior. If the environment passes all checks, the malware begins stealing banking credentials, logging keystrokes, monitoring the clipboard for copied account numbers or passwords, and displaying fake bank login overlays designed to harvest credentials in real time.
Targeted Institutions
The malware contains hardcoded references to more than 20 banks in Portugal, including major institutions such as Caixa Geral de Depósitos, Millennium BCP, Novobanco, and Santander Portugal. Digital banking services Revolut and Wise are also targeted, reflecting the attackers’ awareness that modern banking customers increasingly rely on fintech platforms alongside traditional banks. Companies in Spain, Mexico, and across Latin America are also within the campaign’s scope.
Indicators of Compromise (IoCs)
Organizations in affected regions should search for the following indicators:
- Domain:
uniaodownloadcnk[.]online— phishing delivery domain created February 2026 - Infrastructure: Contabo VPS hosts matching the pattern
vmi<7-digit-number>[.]contaboserver[.]net - C2 IP:
162[.]33[.]177[.]150 - File names:
libwebp.dll,mingw10.dll,libffi-6.dll,libpng15.dllplaced alongside legitimate applications (FastStone Image Viewer, MinGW, FreeMat, AbiWord) - Geolocation lookup: Outbound calls to
ip-api[.]com/jsonfrom non-browser processes
Defensive Recommendations
WatchGuard researchers emphasize that traditional email and endpoint security tools are insufficient to reliably catch Grandoreiro. The campaign’s deliberate use of legitimate cloud platforms, trusted file-hosting services, and protocol camouflage means that signature-based detection will miss a significant portion of attack activity.
- Behavioral detection: Deploy endpoint security solutions capable of detecting DLL Side-Loading patterns and unusual process injection behavior.
- Cloud traffic inspection: Implement deep packet inspection for cloud-bound traffic to catch anomalous MQTT or Pub/Sub communications from unexpected processes.
- Phishing awareness training: Particularly in financial institutions operating in Portugal, Spain, and Latin America, train staff to critically evaluate any unexpected download request, even from seemingly trustworthy services like Dropbox or Mediafire.
- Monitor for Kiosk Mode: Alert on unexpected browser processes entering fullscreen kiosk mode, especially when not user-initiated.
- Layered security monitoring: Continuous behavioral monitoring across users, devices, and cloud infrastructure is essential — Grandoreiro’s evasion sophistication means it will often slip past any single-layer defense.
With financial institutions across two continents in its crosshairs and a decade-long history of resilience against law enforcement, Grandoreiro remains one of the most persistent banking trojans in the global threat landscape. Organizations in the targeted regions should treat this as an active, high-priority threat requiring immediate defensive attention.