CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 27, 2026

Hackers Use Grandoreiro Malware to Target Portuguese Banks and Latin American Companies

Cybersecurity News Archived May 27, 2026 ✓ Full text saved

A banking trojan that has been quietly operating since 2016 is making headlines again. Grandoreiro, one of the most widespread banking malware strains globally, has resurfaced with fresh campaigns targeting Portuguese banks and companies across Spain, Mexico, and Latin America. The attacks are sophisticated, well-organized, and show no sign of slowing down. Grandoreiro has survived […] The post Hackers Use Grandoreiro Malware to Target Portuguese Banks and Latin American Companies appeared first

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Use Grandoreiro Malware to Target Portuguese Banks and Latin American Companies By Tushar Subhra Dutta May 27, 2026 A banking trojan that has been quietly operating since 2016 is making headlines again. Grandoreiro, one of the most widespread banking malware strains globally, has resurfaced with fresh campaigns targeting Portuguese banks and companies across Spain, Mexico, and Latin America. The attacks are sophisticated, well-organized, and show no sign of slowing down. Grandoreiro has survived years of law enforcement pressure. Despite joint operations between INTERPOL and local agencies that led to arrests in Spain, Brazil, and Argentina in 2021 and 2024, only part of the criminal gang was taken down. The rest kept going, and their latest activity proves that this threat is far from over. Researchers at WatchGuard said in a report shared with Cyber Security News (CSN) that their telemetry detected two active Grandoreiro campaigns, one using a technique called DLL Side-Loading and another using a malicious VBS script to deliver the malware. Both campaigns rely on phishing as the entry point, tricking victims into clicking links that eventually drop the malware onto their machines. The campaigns are notable not just for what they target, but for how they operate. The attackers are using cloud platforms like Google Cloud, Microsoft Azure, and Amazon to blend malicious traffic into everyday network activity. Since the web conferencing traffic is common and often goes unmonitored, hiding inside it gives the attackers a strong advantage. The impact extends well beyond individual victims. With hardcoded references to more than 20 banks in Portugal, including Caixa Geral de Depositos, Millennium, Novobanco, and Santander, as well as services like Revolut and Wise, the scope of potential damage is wide. Businesses and banking customers across multiple countries face real financial risk. Hackers Use Grandoreiro Malware The first campaign uses a technique known as DLL Side-Loading, where four malicious DLL files, libwebp.dll, mingw10.dll, libffi-6.dll, and libpng15.dll, are disguised as legitimate software components. These files were built using Delphi 11 and contain SGC WebSockets components linked to WebRTC, a widely trusted real-time communication protocol. The idea is straightforward: malicious traffic that looks like normal video call data becomes much harder to detect. Information of the analyzed artifact (Source – WatchGuard) Each malicious DLL connects to a different cloud provider. One uses Google Cloud Pub/Sub, another uses Microsoft Azure with MQTT protocol, and a third connects to Amazon also via MQTT. The malware is delivered through phishing links that redirect victims to Dropbox, where a ZIP file containing the malicious DLL is downloaded. This misuse of trusted platforms is deliberate and makes detection especially difficult. The use of Google Cloud in mingw10.dll and Azure in libwebp.dll (Source – WatchGuard) The code also includes aggressive anti-analysis features. The malware checks for debugging tools, virtual environments, and installed security software before it fully executes. The use of anti-debugging techniques (Source – WatchGuard) It looks for specific computer names and directory paths commonly used by analysts, and it can force the browser into Kiosk Mode, locking the screen to a single fullscreen window. Strings written in Chinese were also found embedded in the code. Malicious VBS and Geofenced Delivery The second campaign takes a different but equally deceptive approach. Victims are directed to a fake web page hosted on Contabo servers, geofenced to show only to users in targeted regions. The page links to a file on Mediafire, which, once downloaded, runs a heavily obfuscated VBS script that installs the malware on the victim’s machine. Executable file created by the malicious obfuscated VBS script (Source – WatchGuard) Once the malware runs, it displays a fake Adobe Reader update message to keep the victim distracted while it performs checks in the background. It queries the victim’s location using a public IP lookup service, verifies the machine is not a research environment, and then proceeds to steal credentials, log keystrokes, monitor the clipboard, and display fake banking overlays to capture login details. The use of WMI in VBS to check antivirus products (Source – WatchGuard) WatchGuard researchers recommend that organizations move beyond basic email security and endpoint tools. Layered visibility, behavioral detection, and continuous monitoring across users, devices, and cloud infrastructure are essential to catching these attacks early. Banking trojans like Grandoreiro are getting better at blending in, and surface-level defenses alone will not be enough to stop them. Indicators of Compromise (IoCs):- Type Indicator Description Domain uniaodownloadcnk[.]online Phishing delivery domain created February 2026; used to host malicious ZIP files Domain vmi<7-digit-number>[.]contaboserver[.]net Contabo VPS infrastructure abused for malicious link delivery and geofenced fake pages Domain <random-name>.byethost<num>.com C2 infrastructure pattern used by Grandoreiro operators Domain dropbox[.]com / dropboxusercontent[.]com Legitimate service abused to host and deliver malicious ZIP files Domain mediafire[.]com Legitimate service abused to host malicious VBS payload IP Address 162[.]33[.]177[.]150 Grandoreiro C2 server URL hxxp://ip-api[.]com/json Geolocation lookup used by malware to verify victim location before execution File Name libwebp.dll Malicious DLL used in DLL Side-Loading with FastStone Image Viewer File Name mingw10.dll Malicious DLL used in DLL Side-Loading with MinGW compiler suite File Name libffi-6.dll Malicious DLL used in DLL Side-Loading with FreeMat File Name libpng15.dll Malicious DLL used in DLL Side-Loading with AbiWord Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Attackers Can Exploit BadHost to Access Sensitive AI Agent Server Endpoints China-Linked Hackers Target Southeast Asian Edge Routers With Custom Linux Implant Windows Server 2016 Domain Controller May Fail with 15-Character Hostname Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes Indian Student Data Weaponized for Phishing, Social Engineering, and Financial Fraud Latest News Cyber Security News Hackers Use Fake ChatGPT and Claude Installers to Deploy DinDoor Backdoor Cyber Security News Hackers Push 22 Versions of npm RAT With Wallet Theft and Persistent Backdoor ANY.RUN How Top CISOs Increase Risk Visibility for Zero Critical Incidents  Cyber Security News Hackers Abuse AI Chatbot Recommendations to Push Malicious Software Download Links Cyber Security Motorola Phones Preinstalled App Found Hijacking Amazon App to Inject Affiliate Codes
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 27, 2026
    Archived
    May 27, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗