HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Banking Trojans Grandoreiro and BTMOB RAT Target Windows and Android Users in Spain, Portugal, Mexico, and Brazil

WatchGuard and ESET report coordinated Grandoreiro (Windows) and BTMOB (Android) campaigns aimed at stealing banking credentials from enterprises in Spain, Portugal, Mexico and mobile users in Brazil, raising third‑party risk for multinational firms.

LiveThreat™ Intelligence · 📅 May 27, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
thehackernews.com

Banking Trojans Grandoreiro (Windows) and BTMOB RAT (Android) Target Companies in Spain, Portugal, Mexico and Mobile Users in Brazil

What Happened – Threat researchers at WatchGuard and ESET uncovered two coordinated banking‑trojan campaigns. The Grandoreiro malware is being delivered to Windows workstations, while the BTMOB remote‑access trojan is targeting Android smartphones. Both families are aimed at stealing banking credentials and facilitating fraudulent transactions.

Why It Matters for TPRM

  • Financial‑focused malware on corporate endpoints can lead to credential theft, unauthorized fund transfers, and reputational damage.
  • Android‑based RATs expand the attack surface to employee mobile devices, often used for remote work or BYOD programs.
  • The campaigns focus on organizations operating in Spain, Portugal, Mexico and on consumers in Brazil, highlighting a regional supply‑chain risk for multinational vendors.

Who Is Affected – Financial services firms, multinational corporations with offices in the listed countries, and any enterprise that permits Android devices for business use.

Recommended Actions

  • Review third‑party vendor security assessments for any partners located in the affected regions.
  • Enforce multi‑factor authentication for banking and financial applications on both desktop and mobile platforms.
  • Deploy endpoint detection and response (EDR) solutions capable of detecting Grandoreiro and BTMOB signatures.
  • Conduct phishing awareness training and enforce strict app‑installation policies on Android devices.

Technical Notes – The campaigns use phishing emails and malicious app downloads to deliver the payloads. Grandoreiro leverages known banking‑trojan techniques such as web‑injects and credential harvesting. BTMOB RAT provides full remote control of infected Android devices, enabling data exfiltration and SMS‑based fraud. No specific CVEs were cited. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/grandoreiro-malware-and-btmob-rat.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →