Grandoreiro Banking Trojan Resurfaces with Campaigns Targeting Portuguese Banks and Latin American Firms
The long-running Grandoreiro banking trojan has resurfaced with sophisticated campaigns targeting Portuguese banks and companies across Spain, Mexico, and Latin America using DLL side-loading and cloud platform abuse.
The Grandoreiro banking trojan, a persistent threat since 2016, has re-emerged with fresh campaigns targeting major Portuguese banks and businesses across Latin America. Researchers at WatchGuard have identified two distinct delivery campaigns that leverage trusted cloud services and advanced evasion techniques, signaling that the criminal operation remains active despite previous law enforcement takedowns.
The first campaign employs DLL side-loading, a technique where malicious DLL files—libwebp.dll, mingw10.dll, libffi-6.dll, and libpng15.dll—are disguised as legitimate software components. These files were built with Delphi 11 and incorporate SGC WebSockets components linked to WebRTC, allowing malicious traffic to blend with normal video call data. Each malicious DLL connects to a different cloud provider: Google Cloud Pub/Sub, Microsoft Azure via MQTT, and Amazon via MQTT. The malware is delivered through phishing links that redirect victims to Dropbox, where a ZIP file containing the malicious DLL is downloaded.
The second campaign uses a geofenced fake page hosted on Contabo servers, which displays only to users in targeted regions. The page links to a file on Mediafire, which runs a heavily obfuscated VBS script that installs the malware. Once executed, the malware displays a fake Adobe Reader update message to distract victims while it checks for debugging tools, virtual environments, and security software. It also forces the browser into Kiosk Mode, locking the screen to a single fullscreen window.
Grandoreiro targets over 20 banks in Portugal, including Caixa Geral de Depositos, Millennium, Novobanco, and Santander, as well as financial services like Revolut and Wise. The malware steals credentials, logs keystrokes, monitors clipboard activity, and displays fake banking overlays to capture login details. Its anti-analysis features include checking for specific computer names and directory paths commonly used by researchers, and strings written in Chinese were found embedded in the code.
The impact extends across multiple countries, with potential financial losses for businesses and banking customers. Despite joint operations by INTERPOL and local agencies that led to arrests in Spain, Brazil, and Argentina in 2021 and 2024, the remaining criminal infrastructure has adapted and continues to operate. WatchGuard researchers emphasize that traditional email security and endpoint tools are insufficient; layered visibility, behavioral detection, and continuous monitoring across users, devices, and cloud infrastructure are essential to catch these attacks early.
Grandoreiro's use of legitimate cloud platforms to hide command-and-control traffic marks a worrying trend in banking trojan evolution. By abusing services like Google Cloud, Microsoft Azure, and Amazon, attackers make detection significantly harder. Organizations in the financial sector and related industries should prioritize threat intelligence sharing and deploy advanced detection mechanisms to identify anomalous traffic patterns. The resurgence of Grandoreiro serves as a reminder that long-running malware families can evolve and persist, requiring constant vigilance.