**WatchGuard** and **ESET** have uncovered active campaigns leveraging the Grandoreiro banking trojan to target companies in Spain, Portugal, and Mexico, and the BTMOB Android RAT against mobile users in Brazil. ### Grandoreiro: DLL Side-Loading and WebRTC Obfuscation The Grandoreiro campaign, active since 2016, employs DLL side-loading techniques, abusing multiple software packages to target banks in Portugal. According to WatchGuard researcher Euler Neto, this banking malware is constantly evolving, capable of stealing credentials from thousands of financial institutions across 45 countries. Distribution typically occurs via phishing emails containing malicious links. Despite previous disruption attempts, Grandoreiro has expanded its targeting footprint and implemented CAPTCHA checks to evade analysis. The latest campaign utilizes DLL side-loading to launch DLLs developed in Delphi 11. Two DLLs, `mingwm10.dll` and `libwebp.dll`, incorporate `sgcWebSockets`, a WebSocket and real-time communication library for P2P and WebRTC communications. WatchGuard notes that the DLLs use the Session Traversal Utilities for NAT (STUN) protocol, enabling peer-to-peer communication. The use of web conferencing traffic helps threat actors to hide their malicious activities. Other DLLs associated with the campaign (`libffi-6.dll` and `libpng15.dll`) use the Interactive Connectivity Establishment (ICE) protocol to achieve the same goal. These files specifically target banks and financial institutions operating in Portugal, including **Abanca**, **Banco de Portugal**, **BBVA PT**, **Caixa Geral Depositos**, and **Santander**, as well as **Revolut** and **Wise**. WatchGuard also identified another Grandoreiro campaign using phishing emails to deliver a ZIP archive hosted on Mediafire. This archive contains an obfuscated Visual Basic Script that launches an executable, prompting users to update **Adobe Reader**. This triggers a series of checks to avoid detection before deploying the final payload to steal banking information. These tactics align with a previous Grandoreiro campaign detailed by **Kaspersky** in October 2024. "The bigger story here is not just that Grandoreiro is still active," WatchGuard said. "It is that financially motivated threat groups continue to adapt quickly, reuse legitimate services, and hide inside traffic patterns that many organizations may already trust." "By combining phishing, DLL side-loading, WebRTC-related components, cloud service abuse, and anti-analysis checks, these campaigns show how banking malware is becoming harder to spot with surface-level defenses alone." ### BTMOB: MaaS Android RAT with Ready-Made Campaign Tools  ESET's report highlights BTMOB, an Android remote access trojan (RAT) that emerged in February 2025. BTMOB's capabilities include unlocking devices, capturing screenshots, logging keystrokes, automating credential theft via HTML injections, and enabling remote control. A later version added the ability to capture Alipay PINs. According to ESET researcher Daniel Cunha Barbosa, the RAT is sold with an APK builder interface, allowing anyone to generate new payloads and adapt phishing lures quickly and without coding knowledge. These ready-made tools lower the barrier to entry for conducting full device compromises. The malware spreads via social engineering, with users receiving links to fake websites disguised as streaming services or cryptocurrency mining platforms. These sites redirect victims to fake **Google Play Store** app listings, tricking them into installing the malicious APK file. Once installed, the malware requests accessibility service permissions and uses them to grant itself additional system access without user interaction. BTMOB is believed to be the successor to CraxsRAT, CypherRAT, and SpySolr. The latest version, 4.5.5 (May 2026), claims enhanced APK protection and compatibility with the latest Google Play updates. An X profile allegedly linked to the malware stated on May 1, 2026: "This update is all about speed and stability. We've expanded our infrastructure and refined the builder to keep you ahead of the latest mobile security patches." The Trojan is advertised by a threat actor named EVLF (@craxso) for $700 per month. A **YouTube** video shared by the malware author on May 1, 2026, prices a lifetime license at $1,200, with the complete server source code available for $7,000, allowing customers to host the command-and-control (C2) panels themselves. html <iframe width="560" height="315" src="https://www.youtube.com/embed/fC9jSOS7tSE" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe> As recently as this week, the X profile shared a link to a **Medium** article about "how BTMOB RAT is turning Android phones into remote-controlled weapons," noting its rapid evolution since early 2025. "It slips in through phishing sites, grabs accessibility services, and turns your phone into a puppet," the article reads. "Hackers watch your screen live. They steal banking details. They even mine crypto in the background while you scroll Instagram." The article was published by an account named "CraxsRAT Main developer," claiming to be a "skilled and resourceful cybercriminal who built a profitable cybercrime enterprise by selling highly advanced RAT malware to other threat actors." The malware-as-a-service (MaaS) model of BTMOB lowers the barrier to entry for less sophisticated threat actors. Leaked versions circulating on underground forums and **Telegram** increase the risk of abuse. ESET warns that this access rarely remains contained and can move into secondary markets. Competing malware families may also copy elements that make payload customization and campaign management easier for less skilled criminals. Italian cybersecurity company **D3Lab**, in an analysis of the leaked BTMOB RAT development toolkit published in December,