The notorious Grandoreiro banking trojan has resurfaced in a new wave of phishing attacks, now hitting users across Latin America and Europe, according to fresh intelligence from cybersecurity firm Forcepoint.
Originally surfacing in Brazil around 2016, Grandoreiro stayed local in its early years. However, it expanded its reach roughly five years ago, launching attacks in Mexico, Portugal, and Spain. Now, it’s clear the trojan has gone global—and it’s evolving fast.
Despite takedown efforts in 2021 and again in 2024, and even the arrest of several threat actors linked to it, Grandoreiro appears to be thriving. Operating under a malware-as-a-service (MaaS) model and believed to be part of the Tetrade threat group, the trojan is proving tough to kill
Grandoreiro’s Global Footprint Keeps Growing
Earlier in 2024, researchers tracked Grandoreiro targeting over 1,500 banking platforms across more than 60 countries. Disguised as official entities from Argentina, Mexico, and South Africa, the trojan lured unsuspecting victims into handing over sensitive information.
By late 2024, the threat had escalated. Grandoreiro had added Asia to its hit list, extended its scope to 1,700 banking institutions and 276 crypto wallets, and cemented its status as a global cybercrime menace.
New Tactics: Tax-Themed Phishing Campaigns Exploit Cloud Hosting
Forcepoint’s latest findings highlight a worrying new trend. In the newest phishing campaigns, Grandoreiro is masquerading as national tax agencies to trick users in Argentina, Mexico, and Spain. These emails contain malicious links pointing to the German-based hosting provider Contabo.
To sidestep security detection, the attackers use a combination of obfuscated Visual Basic scripts and Delphi-based executables camouflaged as legitimate files. Victims often receive encrypted or password-protected ZIP archives, which adds another layer of evasion.
Emails Leverage Trusted Cloud Services to Spread Malware
The phishing emails look like tax penalty notices and come cloaked as PDF attachments. When opened, they fetch the trojan payload from the file-sharing platform Mediafire. The infrastructure behind the campaign is hosted on OVHcloud, which gives the phishing attempts an air of legitimacy.
Once the malicious payload is launched, Grandoreiro goes to work. It harvests login credentials, hunts for Bitcoin wallet directories, and establishes communication with a command-and-control (C2) server. The attackers rotate subdomains on the “contaboserver[.]net” infrastructure frequently to stay under the radar.
How to Protect Yourself Against Grandoreiro
Forcepoint strongly advises users to be extra cautious when receiving emails from unknown senders—especially those claiming to be from tax agencies. These emails often use urgent language to prompt quick action, increasing the chances of infection.
Cybersecurity tools that detect phishing, scan attachments, and monitor suspicious domains are essential lines of defense. As Grandoreiro continues to evolve, proactive protection and awareness are key to staying safe.
