BTMOB RAT Spreads Across Brazil, LatAm via MaaS Model
Dark ReadingArchived May 28, 2026✓ Full text saved
An advanced remote access Trojan is propagating online. Notably, it's delivered via an operator licensing model and features a no-code malware-development interface.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
ENDPOINT SECURITY
MOBILE SECURITY
REMOTE WORKFORCE
NEWS
BTMOB RAT Spreads Across Brazil, LatAm via MaaS Model
An advanced remote access Trojan is propagating online. Notably, it's delivered via an operator licensing model and features a no-code malware-development interface.
Elizabeth Montalbano,Contributing Writer
May 28, 2026
4 Min Read
SOURCE: RAFAPRESS VIA SHUTTERSTOCK
An emerging Android remote access Trojan (RAT) that offers would-be attackers a no-code interface for building malicious banking apps has resurfaced. This time, it's using a malware-as-a-service (MaaS) model that lowers the barrier to entry for cybercriminals to achieve full mobile device takeover with little expert knowledge.
The RAT — dubbed BTMOB and first described by researchers at Cyble last year as an offshoot of SpySolr malware — is notable for its potential to do significant damage via a range of capabilities that extend beyond the usual RAT behavior, according to a ESET security researchers.
While typical banking Trojans are aimed primarily at stealing financial credentials or intercepting user transactions, BTMOB gives adversaries broader options. These include the ability to exfiltrate a range of sensitive data, capture screenshots, record activity on the device, and ultimately take remote control of it.
Related:Ransomware Actors Show Up In Person to Steal Law Firm Data
A No-Code Malicious Payload Generator
In the campaign, which targets users in Brazil and Latin America, the RAT is both commodity and payload. As a commodity, it is sold along with an APK builder interface that allows anyone to generate new payloads such as malicious Android apps, as well as adapt phishing lures for specific regions rapidly without writing any code, noted Daniel Cunha Barbosa, a security researcher for ESET, in the post.
The campaign distributes the RAT to cybercriminals through Telegram channels and other websites, and goes after victims via phishing sites impersonating streaming services, cryptocurrency platforms, and legitimate app stores.
The malware comes with a relatively inexpensive price tag of $5,000 for a lifetime license, which in the digital economy of mobile device compromise, is a relative bargain, notes Jacob Krell, senior director of secure AI solutions & cybersecurity for Suzu Labs.
"Mobile is where the economics of industrialized cybercrime meet the highest returns in the exploit market," he says, adding that Crowdfense, a well-known vulnerability research hub, currently pays up to $5 million for a single Android zero-click chain. "When the returns are that high, every improvement in mobile campaign tooling translates directly into profit," Krell says.
In addition, the MaaS model also lowers the barrier for less sophisticated adversaries, Barbosa noted, citing a Dark Web forum that in January claimed to offer BTMOB-related files for free download.
"The forum later went offline, and our search didn’t recover the payload(s), but the episode points to a familiar risk with commercial malware: access rarely stays contained forever and the tool can move into secondary markets through resale, barter, or sharing inside closed groups," Barbosa wrote.
Related:Latin American Cybercriminals Hoover Up Government Data
Social Engineering for the Cybercrime Win
In maliciious campaigns that deliver a BTMOB payload, operators send victims to phishing websites that pose as streaming services, cryptocurrency mining platforms, or other familiar online services. From there, they then nudge them toward fake app stores that mimic legitimate repositories and prompt them to install a malicious APK.
Because BTMOB allows operators to adapt lures to specific regions, it gives attackers a strong social-engineering play and unlimited geographic reach, Barbosa noted.
He cited a campaign in Argentina that spread BTMOB while impersonating Argentina's tax and customs authorities as a recent example. This, combined with the RAT's extended capabilities, gives the malware a wider reach for doing damage beyond the region in which it's currently being distributed, he said.
"The combination of phishing-led delivery, ready-made app-building tooling and device takeover capabilities makes BTMOB a threat to watch well beyond Brazil or Latin America," Barbosa wrote.
Related:Processes & Culture Top Reasons Behind Data Breaches
Once installed, BTMOB seeks extensive access to the device by abusing Android Accessibility Services to gain elevated permissions and granting itself further system access and control over the device without additional user interaction.
Defending Mobiles Device From Malware
Mobile malware remains a significant threat to both enterprise and personal users alike, and ESET recommended a few basic tips to keep users safe from BTMOB and the range of other Android-based malware making the rounds.
One basic best practice is to only download apps from the official Google Play Store and its repositories, and beware of fakes impersonating Google's mobile app marketplace. Enterprises also should make this a mandate across their employee base, Barbosa noted.
Basic phishing security hygiene applies as well, such as treating unsolicited links delivered via email, messaging apps, social media, and targeted advertisements with suspicion and not clicking on anything that even remotely seems like a scam, he said.
Finally, both individuals and organizations "should use mobile security solutions and treat mobile devices with the same rigor as other machines and environments," Barbosa wrote. For enterprise defenders, he included indicators of compromise in the post to help security administrators identify signs of compromise on a network.
About the Author
Elizabeth Montalbano
Contributing Writer
Elizabeth Montalbano is freelance writer, editor, and journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
AI-Powered Credential Security: Intelligence Without Exposure
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS