WatchGuard and ESET reveal that the Grandoreiro banking trojan is using DLL side‑loading and WebRTC traffic to hit banks in Portugal, Spain and Mexico, while the BTMOB Android RAT is being sold as a malware‑as‑a‑service kit that lets anyone build custom payloads for phishing campaigns in Brazil and beyond.
A new wave of financially motivated malware hits both desktops and phones
WatchGuard and ESET have uncovered two active campaigns that illustrate how quickly threat actors can repurpose legitimate technologies to evade detection. The Grandoreiro banking trojan is now targeting Windows users in Spain, Portugal and Mexico with sophisticated DLL side‑loading, while the BTMOB remote‑access trojan is being marketed as a turnkey Android RAT that lets even low‑skill criminals compromise smartphones in Brazil and other Latin‑American markets.
Grandoreiro’s evolution: DLL side‑loading meets WebRTC traffic
Grandoreiro has been on the radar since 2016, but the latest campaign shows a clear shift toward living‑off‑the‑land techniques. According to WatchGuard researcher Euler Neto, the attackers deliver malicious DLLs that are loaded by legitimate executables, a classic side‑loading method that bypasses many endpoint‑detection rules.
- Four malicious DLLs –
mingwm10.dll,libwebp.dll,libffi-6.dllandlibpng15.dll– are compiled with Delphi 11, a language popular among regional malware developers. - Two of the DLLs embed sgcWebSockets, a WebSocket library that enables peer‑to‑peer (P2P) communication via the STUN protocol. The other two use ICE (Interactive Connectivity Establishment) for the same purpose.
- By routing command‑and‑control (C2) traffic through WebRTC‑based conferencing streams, the malware blends its traffic with noisy, encrypted video‑call data that most corporate firewalls treat as benign.
“Web conferencing traffic is difficult to monitor because it is encrypted and high‑volume,” says Neto. “Embedding C2 in that flow lets the trojan stay under the radar of many network‑based detections.”
The DLLs contain hard‑coded references to Portuguese banks such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral de Depósitos and Santander, as well as fintech services Revolut and Wise. The campaign also uses a classic phishing lure: an email with a malicious link that redirects victims to a Mediafire ZIP file. Inside, an obfuscated VBScript pretends to be an Adobe Reader update, performs a series of anti‑analysis checks, and finally drops the banking‑stealer payload.
Practical takeaways for Windows environments
- Inspect DLL loading behavior – Enable Windows Event Log auditing for
LoadImageevents and correlate with known legitimate parent processes. - Monitor WebRTC traffic – Look for outbound UDP/TCP flows to ports commonly used by WebRTC (e.g., 3478 for STUN, 5349 for TURN) that originate from non‑conference applications.
- Deploy DNS‑level URL filtering – Block known malicious file‑hosting domains such as Mediafire for corporate users unless explicitly required.
- Use behavior‑based endpoint protection – Solutions that can detect anomalous DLL injection and process‑spawning patterns are essential, as signature‑based tools may miss the Delphi‑compiled binaries.
BTMOB RAT: Malware‑as‑a‑Service lowers the barrier for Android attacks
ESET’s Daniel Cunha Barbosa reports that the Android RAT BTMOB has matured into a full‑fledged Malware‑as‑a‑Service (MaaS) platform. First seen in February 2025, the latest version 4.5.5 adds faster payload generation and improved evasion against recent Google Play security updates.
Key capabilities include:
- Screen capture, keylogging and accessibility‑service abuse – once installed, BTMOB requests the Accessibility permission, which grants it system‑wide UI interaction without further user prompts.
- HTML injection – the RAT can modify the DOM of banking or payment apps (e.g., Alipay, PayPal) to harvest credentials in real time.
- Remote control and crypto‑mining – operators can watch the victim’s screen live, issue touch events, and even run background mining scripts while the user scrolls Instagram.
The builder interface is a web‑based APK generator that lets a buyer select modules, set C2 endpoints and produce a signed APK in minutes, all without writing code. Pricing is aggressive: $700 per month for a hosted C2, $1,200 for a lifetime license, and $7,000 for the full source code that lets a buyer run their own infrastructure.
BTMOB spreads primarily through social‑engineering lures that masquerade as streaming services or cryptocurrency mining sites. Victims are directed to counterfeit Google Play listings that host the malicious APK. Once installed, the app silently activates the Accessibility service, granting the RAT near‑root privileges on fully patched devices.
Practical takeaways for Android security
- Restrict Accessibility permissions – Enforce a policy that only approved apps can request the Accessibility service, and audit any new requests.
- Verify app signatures – Use Play Protect or an enterprise mobile‑device‑management (MDM) solution to ensure only apps signed with your organization’s certificate can be installed.
- Educate users – Phishing simulations should include fake streaming‑service links and bogus “crypto‑miner” sites to reinforce safe browsing habits.
- Network‑level detection – Look for outbound connections to known BTMOB C2 domains (often hosted on fastly, cloudfront or obscure VPS providers) and block them.
The bigger picture: Malware‑as‑a‑Service fuels rapid iteration
Both campaigns underscore a trend that security teams must reckon with: crime‑as‑a‑service. By packaging sophisticated techniques—DLL side‑loading, WebRTC tunneling, Android Accessibility abuse—into ready‑made kits, threat actors can launch high‑impact campaigns with minimal development effort.
“When a toolkit is sold for a few hundred dollars, the barrier to entry drops dramatically,” notes ESET. “We’re already seeing leaked versions circulating on Telegram, which means copycats can launch their own variants within days.”
The Italian firm D3Lab analyzed a December 2025 leak of the BTMOB toolkit and found a complete development environment, including the C2 backend, operator panel and all third‑party dependencies. This level of transparency is rare and gives defenders a unique opportunity to study the inner workings of a modern Android RAT ecosystem.
Immediate steps for organizations
| Area | Action |
|---|---|
| Email security | Deploy anti‑phishing gateways that sandbox links and block redirects to file‑hosting services. |
| Endpoint protection | Enable DLL load monitoring on Windows, and enforce strict app‑install policies on Android devices. |
| Network monitoring | Flag outbound STUN/ICE traffic from non‑conference apps; block known BTMOB C2 hosts. |
| User awareness | Run tabletop exercises that simulate both desktop banking‑trojan and mobile RAT scenarios. |
By tightening controls around these vectors, organizations can disrupt the low‑cost, high‑reward business model that fuels Grandoreiro and BTMOB.
Sources
- WatchGuard Labs, Grandoreiro DLL Side‑Loading Campaign – https://www.watchguard.com/labs/research/grandoreiro
- ESET Research, BTMOB Android RAT – Malware‑as‑a‑Service – https://www.eset.com/int/about/newsroom/press-releases/btmob-rat
- D3Lab, Inside the BTMOB Toolkit Leak – https://github.com/d3lab/btmob-analysis
Stay ahead of evolving financial‑malware threats by regularly reviewing your detection rules, reinforcing user education, and monitoring for anomalous network traffic.
Comments
Please log in or register to join the discussion