Two coordinated banking trojan campaigns have surfaced across Latin America and Southern Europe, targeting both Windows endpoints and Android mobile devices. Security researchers at WatchGuard and ESET have documented activity involving Grandoreiro and BTMOB, malware families that specialise in credential theft and unauthorised financial transactions. The campaigns focus on Spain, Portugal, Mexico, and Brazil—regions representing significant economic targets and, for attackers, increasingly accessible infrastructure.
The Dual-Platform Threat Landscape
What distinguishes these campaigns is their coordinated, cross-platform approach. Grandoreiro operates primarily on Windows systems, employing techniques common to banking trojans: process injection, credential harvesting, and screen capture. BTMOB, classified as a remote access trojan (RAT), targets Android devices with similar objectives but leveraging mobile-specific attack vectors.
The geographic concentration is telling. Spain and Portugal represent developed financial markets with established banking infrastructure; Mexico and Brazil offer both substantial banking populations and, historically, less mature endpoint security adoption in certain sectors. Attackers recognise that successful credential theft in these regions can yield rapid monetisation through account takeover or wire fraud.
For infrastructure operators—particularly those running shared hosting, reseller platforms, or VPS services used by small businesses and individuals in these regions—understanding the infection chains matters. If clients' machines become compromised, attackers often use hosting infrastructure to stage additional payloads, exfiltrate credentials, or maintain command-and-control (C2) channels.
Infection Vectors and Infrastructure Implications
Banking trojans typically arrive via phishing campaigns, malicious downloads, or drive-by exploitation. Once resident on a system, they establish persistence and may beacon outbound to attacker-controlled servers. Some variants use hosting providers' own infrastructure—rented VPS, compromised shared hosting accounts, or domain registrations—to host C2 panels or stage secondary payloads.
Operators monitoring traffic from client systems should watch for unusual outbound connections to unfamiliar IP ranges, especially those in bulletproof hosting jurisdictions or known malware distribution networks. High volumes of encrypted POST requests to uncommon ports, repeated DNS queries to newly registered domains, or large data exfiltration attempts can all indicate compromise.
The use of remote access trojans like BTMOB adds another layer of concern. Once a RAT gains foothold on a mobile device, it can harvest two-factor authentication codes, intercept SMS messages, or redirect banking traffic through a proxy—bypassing traditional security controls. If users access banking applications from devices tethered to a company network, the threat perimeter expands significantly.
Detection and Response Considerations
According to reporting from security researchers at WatchGuard and ESET, both malware families employ obfuscation and anti-analysis techniques, making signature-based detection alone insufficient. Behavioural monitoring—watching for credential access attempts, registry modifications, and network connections to suspicious domains—offers better coverage.
For hosting providers, the priority is defensive: implement robust egress filtering to block outbound connections to known malware C2 infrastructure, monitor for abuse patterns typical of compromised accounts (sudden spikes in CPU usage, outbound traffic, or process creation), and maintain updated threat intelligence feeds. Educate clients about the regional nature of these campaigns and recommend endpoint detection and response (EDR) solutions suitable for their threat model.
Mobile security is often the weaker link. Most individuals and small businesses lack MDM (mobile device management) solutions. Advising clients to disable app installation from unknown sources, avoid sideloaded APKs, and use only official app stores costs nothing and significantly reduces BTMOB infection risk.
Broader Regional Context
Latin America has emerged as a preferred theatre for banking trojan operators, partly because regional banking systems sometimes rely on legacy authentication mechanisms and because the region's mix of developed and developing infrastructure creates inconsistent security postures. Portugal and Spain, whilst EU members with stronger regulatory oversight, still see targeted campaigns—often because attackers focus on specific verticals (small business banking, corporate treasury systems) rather than mass consumer infection.
The convergence of Windows and Android-targeted malware in the same campaign suggests sophisticated threat actors willing to invest in multi-platform development. This is not opportunistic malware-as-a-service noise; it's coordinated, region-specific banking fraud infrastructure.
For operators serving customers in these regions, staying informed about threat actor tactics and maintaining basic hygiene around C2 infrastructure sinkholing and abuse reporting remains essential. The threat is real, but visibility and rapid response can significantly reduce impact.
