Two distinct malware families—Grandoreiro and BTMOB—are actively targeting users and organisations across Latin America and Europe, according to research from WatchGuard and ESET. The campaigns illustrate a persistent problem for infrastructure operators: the need to understand threat landscapes that vary significantly by geography and device type.
Geographical Distribution and Target Profile
Grandoreiro, a banking trojan with roots in older banking malware lineages, has been observed circulating in Spain, Portugal, and Mexico. BTMOB, classified as a remote access trojan (RAT), is primarily targeting mobile users in Brazil. This segmentation by region and platform reflects a deliberate operational strategy by threat actors, who appear to be tailoring deployment vectors to local infrastructure patterns and user behaviour.
The focus on Spain, Portugal, and Brazil suggests that threat actors are prioritising regions with established banking infrastructure and high mobile adoption rates. In these markets, both traditional desktop banking workflows and mobile-first financial applications present attack surfaces worth exploiting from a criminal perspective.
Technical Characteristics and Infrastructure Implications
Grandoreiro operates as a banking trojan—malware designed to intercept financial transactions, capture credentials, and harvest sensitive information from compromised endpoints. These trojans typically rely on code injection, API hooking, or overlay techniques to sit between the user and legitimate banking applications.
BTMOB, as a RAT, offers attackers interactive remote control over infected devices, enabling credential theft, session hijacking, and lateral movement within connected networks. The distinction matters for defenders: while Grandoreiro's capabilities are narrowly focused on banking operations, BTMOB provides a broader foothold that could be leveraged for espionage or further compromise.
For infrastructure teams, the presence of these families on customer networks creates several risks. Compromised endpoints can become staging points for reconnaissance against internal systems, particularly if those devices connect to corporate VPNs or access hosted services. Organisations hosting applications in regions where these campaigns are active should assume a percentage of their user base may be running infected machines.
Detection and Network-Level Defences
The research from WatchGuard and ESET provides technical indicators that infrastructure operators and security teams can integrate into detection systems. Banking trojans typically exhibit recognisable network signatures: suspicious outbound connections to command-and-control servers, unusual DNS queries, and patterns of lateral movement that differ from legitimate user behaviour.
Network operators should examine egress filtering rules and DNS security controls, particularly in regions where these campaigns are documented. Monitoring for connections to known malicious infrastructure can catch compromised devices before they exfiltrate sensitive data. Additionally, correlating user-agent strings and TLS certificate fingerprints from malware samples can help identify infected clients attempting to access legitimate banking or corporate systems.
For organisations running infrastructure in offshore jurisdictions—where data residency and privacy concerns often drive the choice of hosting provider—the regional nature of these campaigns underscores the importance of robust network monitoring and isolation between customer environments.
Incident Response and Containment
If banking trojans or RATs are detected on customer systems, the response protocol must balance speed with precision. Quick isolation prevents lateral movement, but premature takedown can destroy forensic evidence. Infrastructure teams supporting affected organisations should prepare incident response playbooks that account for the specific behaviour of Grandoreiro and BTMOB—including how they maintain persistence and attempt to evade detection.
According to analysis from security researchers, both families demonstrate moderate anti-analysis capabilities, meaning that sandboxing and behavioural analysis can still yield reliable indicators. This knowledge allows defenders to focus resources effectively.
Closing Thought
These campaigns reflect the reality that malware threats are increasingly regional and targeted rather than broadly opportunistic. For infrastructure operators serving customers in Latin America and Europe, understanding the specific threat landscape—not just generic malware statistics—is essential for building appropriate detection and containment strategies. Organisations hosting systems for users in affected regions should treat this intelligence as actionable input for network hardening and endpoint monitoring policies.
