By Actipace Security Team · May 2026 · 7 min read
If you have been following cybersecurity news lately, you may have noticed a pattern emerging — banking malware is not slowing down. It is evolving. Quietly. Persistently. And with a level of technical sophistication that is making traditional security tools increasingly inadequate.
Two separate campaigns have recently been identified by security researchers at WatchGuard and ESET, targeting Windows and Android users across Latin America and Europe. The malware families involved — Grandoreiro and BTMOB RAT — represent two very different approaches to the same goal: stealing your banking credentials before you even realise something is wrong.
Here is what you need to know about both.
Grandoreiro: A Banking Trojan That Refuses to Die
Grandoreiro has been active since 2016. That is nearly a decade of continuous operation — surviving law enforcement action, infrastructure takedowns and repeated exposure by security researchers. As of 2026 it remains one of the most actively evolving banking trojans in the world, capable of stealing credentials from thousands of financial institutions across 45 countries.
The latest campaign flagged by WatchGuard researchers targets banks specifically operating in Portugal — including Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos and Santander — along with international fintech platforms like Revolut and Wise.
How This Campaign Works
The attack begins the way most sophisticated campaigns do — with a phishing email. The email instructs the recipient to click a link, which initiates a technically complex infection chain that most standard security tools are not built to detect.
What makes this particular campaign especially concerning is the use of DLL side-loading — a technique that abuses legitimate, trusted software to load malicious code. By hiding inside processes that look completely normal, the malware avoids triggering standard antivirus alerts. The malicious DLLs in this campaign are built using Delphi 11 and incorporate WebSocket communication libraries that allow the malware to communicate using the same traffic patterns as popular video conferencing platforms.
This is a deliberate design choice. Web conferencing traffic is noisy, trusted and difficult to monitor — which makes it the perfect hiding place for command-and-control communications.
A second variant of this campaign uses phishing emails to deliver a ZIP archive hosted on Mediafire. Inside the archive is an obfuscated Visual Basic Script that launches an executable — which then displays a convincing message asking the user to update Adobe Reader. Clicking the update button triggers the final payload.
Why Surface-Level Defences Are No Longer Enough
WatchGuard put it plainly in their analysis: “The bigger story here is not just that Grandoreiro is still active. It is that financially motivated threat groups continue to adapt quickly, reuse legitimate services, and hide inside traffic patterns that many organisations may already trust.”
By combining phishing, DLL side-loading, WebRTC-based communications, cloud service abuse and anti-analysis checks, these campaigns are specifically designed to bypass defences that rely on known threat signatures. They exploit trust — in legitimate file formats, in trusted platforms, in familiar-looking alerts.
This is precisely the threat environment that behaviour-based Windows protection was designed for. When malware hides inside legitimate-looking processes and trusted traffic patterns, the only reliable detection layer is one that monitors what processes actually do — not just what they appear to be.
BTMOB RAT: Malware-as-a-Service for Anyone Who Wants It
If Grandoreiro represents the evolution of sophisticated banking malware, BTMOB RAT represents something arguably more dangerous — the democratisation of it.
BTMOB is an Android remote access trojan that first emerged in February 2025. It is sold commercially under a malware-as-a-service model — meaning anyone with $700 a month can purchase a ready-made attack toolkit, generate custom payloads and launch campaigns without writing a single line of code.
What BTMOB Can Do
Once installed on an Android device, BTMOB is capable of unlocking devices remotely, capturing screenshots in real time, logging every keystroke, automating credential theft through HTML injection when banking apps are opened, and enabling full remote control of the device. A later version added the ability to capture Alipay PINs specifically.
The malware spreads primarily through social engineering — users are sent links to fake websites disguised as streaming services or cryptocurrency mining platforms. From there they are directed to fake Google Play Store listings that trick them into installing a malicious APK file. Once installed, the malware requests accessibility service permissions — and then uses those permissions to grant itself further system access without any additional user interaction.
Why the MaaS Model Is Especially Concerning
BTMOB is believed to be the successor to previously known RAT families including CraxsRAT, CypherRAT and SpySolr. It is advertised openly, comes with an APK builder interface, and as of May 2026 is running version 4.5.5 with claims of enhanced APK protection and improved compatibility with the latest mobile security patches.
The malware-as-a-service model fundamentally lowers the barrier to entry for cybercrime. Sophisticated attacks that previously required significant technical expertise can now be purchased, configured and deployed by relatively unskilled threat actors. ESET has also noted that leaked versions are already circulating on underground forums and Telegram, increasing the risk further.
“Access rarely stays contained forever,” ESET noted in their analysis. “The tool can move into secondary markets through resale, barter, or sharing inside closed groups.”
The Common Thread: Both Campaigns Target the Same Thing
Grandoreiro and BTMOB RAT are built on different platforms and use different technical approaches. But they share the same fundamental objective — intercepting banking credentials before the victim knows they have been compromised.
Both campaigns rely heavily on social engineering to get the initial foothold. Both use legitimate-looking content to lower the victim’s guard. And both are specifically designed to operate beneath the detection threshold of standard security tools.
The Grandoreiro campaign targets Windows users through phishing emails and DLL side-loading. Once inside a Windows system, it operates inside trusted traffic patterns specifically to avoid detection. The BTMOB campaign targets Android users — but the credentials stolen from mobile devices are frequently the same ones used to access banking portals on Windows PCs.
In a household or business environment where the same banking credentials are used across devices, a compromise on one platform creates a direct vulnerability on the other.
What This Means for Windows Users
The Grandoreiro campaign is a direct and active threat to Windows users right now. Its use of DLL side-loading, WebRTC-based communications and anti-analysis checks means it is specifically engineered to bypass the kind of signature-based detection that most standard antivirus tools rely on.
Protecting against threats like this requires a fundamentally different approach — one that monitors the behaviour of every process running on a Windows system in real time, rather than simply checking incoming files against a database of known threats.
When a DLL side-loads malicious code inside a trusted process, a signature scanner sees a trusted process. A behaviour-based detection engine sees a process doing something it should not be doing.
That distinction is what separates reactive security from proactive protection.
At Actipace, our Windows-exclusive security platform is built around exactly this principle. We monitor behaviour at the process level — in real time — so that even when malware successfully disguises its entry point, it cannot disguise what it does once it is running. That layer of proactive, behaviour-based protection is what catches the threats that signature databases miss.
Because in 2026, the most dangerous malware is the kind that looks completely legitimate — right up until the moment it empties your account.
Key Takeaways
The Grandoreiro and BTMOB RAT campaigns are a clear reminder of three things that every Windows user and organisation should understand in 2026.
First, banking malware is not slowing down — it is actively evolving to bypass modern defences. Grandoreiro has survived nearly a decade of law enforcement action by continuously adapting its techniques.
Second, surface-level defences are no longer sufficient. Campaigns that use DLL side-loading, WebRTC traffic and cloud service abuse are specifically designed to be invisible to signature-based detection.
Third, the barrier to entry for sophisticated attacks is dropping. BTMOB RAT’s malware-as-a-service model means that anyone can now launch a professionally built banking trojan campaign — no coding required.
The most effective response to all three of these realities is the same — proactive, behaviour-based protection that operates at the Windows endpoint level, monitoring what processes actually do rather than what they appear to be.
Stay informed. Stay protected. – Actipace Security
About Actipace
Actipace is India’s Windows-exclusive antivirus software, built on the world’s first technology that ensures malware cannot encrypt, delete or damage your data. Available in Basic Defense, Internet Security and Total Security plans.
Try FREE for 30 days at www.actipace.com
