{
	"id": "da585010-a00d-4252-ace1-50dc0bc62408",
	"created_at": "2026-04-06T00:17:19.433399Z",
	"updated_at": "2026-04-10T03:21:19.726277Z",
	"deleted_at": null,
	"sha1_hash": "0ecb66332fb8d7140451f1fa7bd39817b0bc7928",
	"title": "Grandoreiro Strikes Again: Geofenced Phishing Attacks Target LATAM",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1018745,
	"plain_text": "Grandoreiro Strikes Again: Geofenced Phishing Attacks Target\r\nLATAM\r\nPublished: 2025-04-09 · Archived: 2026-04-05 16:21:48 UTC\r\nA new phishing campaign is targeting users across Latin America, and at the center of it is Grandoreiro, a\r\nbanking trojan known for stealing sensitive financial data. With geofencing and stealthy evasion tactics, this\r\nmalware is proving difficult to catch with standard defenses.\r\nLet’s take a closer look at the campaign, how the attack unfolds, and what makes it so effective.\r\nGrandoreiro Attack Overview\r\nBetween February 19 and March 14, researchers noticed a surge in phishing activity tied to Grandoreiro, and signs\r\nshow the campaign is still ongoing.\r\nA spike of Grandoreiro was detected\r\nGrandoreiro has been around for years, constantly evolving to stay ahead of detection. It’s designed to steal\r\nbanking credentials, monitor user activity, and grant remote access to attackers.\r\nOne of the standout techniques in this campaign is geofencing. Before running, the malware checks the victim’s IP\r\naddress to determine their location. If the user isn’t in a targeted Latin American country, the malware simply\r\nstops executing. This makes the campaign more focused, reduces unnecessary exposure, and helps it slip past\r\nglobal security monitoring.\r\nGrandoreiro Attack Chain\r\nGrandoreiro is known for slipping past traditional security tools, making it tough to detect using automated\r\nsolutions alone. However, with the help of interactive sandboxes, it’s possible to observe the malware’s full\r\nhttps://hackread.com/grandoreiro-strikes-geofenced-phishing-attacks-latam/\r\nPage 1 of 5\n\nbehavior in real time.\r\nHere’s a complete look at the execution chain inside a secure sandbox: \r\nView sandbox analysis session\r\nThe full execution chain of Grandoreiro is displayed inside ANY.RUN sandbox\r\nUnderstanding the who, when, and how behind this campaign will help security teams proactively strengthen their\r\ndefenses. Real-time threat analysis platforms not only uncover these details but also make them immediately\r\nactionable.\r\nInitial Access: Phishing Email\r\nThe infection begins with a phishing page that lures the victim into clicking a link or downloading a fake PDF\r\ndocument. Instead of a PDF, the file is actually a compressed archive (.ZIP or .RAR) containing the Grandoreiro\r\nloader.\r\nhttps://hackread.com/grandoreiro-strikes-geofenced-phishing-attacks-latam/\r\nPage 2 of 5\n\nPhishing link with a fake PDF document displayed inside ANY.RUN sandbox\r\nExecution \u0026 Geofencing\r\nOnce the file is extracted and opened, the malware sends a request to ip-apicom to determine the user’s\r\ngeolocation.\r\nIf the IP address falls outside the targeted LATAM countries, the malware halts execution, but if it matches a\r\ntargeted region, the attack proceeds.\r\nSuricata rule triggered inside ANY.RUN sandbox\r\nhttps://hackread.com/grandoreiro-strikes-geofenced-phishing-attacks-latam/\r\nPage 3 of 5\n\nDNS Evasion: Google DNS\r\nGrandoreiro avoids local DNS queries by sending a request to dns.google . It provides the domain name of its\r\ncommand-and-control (C2) server, which Google resolves to an IP address.\r\nThis step helps it bypass DNS-based blocking mechanisms and improves its chances of successful\r\ncommunication.\r\nTraditional solutions often miss these evasion tricks, but ANY.RUN captures them in real time, helping teams\r\nbuild effective detection logic that actually reflects how modern malware behaves.\r\nConnection to C2\r\nAfter resolving the C2 domain, the malware sends a GET request to the retrieved IP address to establish a\r\nconnection. This opens the door for the attacker to deliver additional payloads, steal credentials, or take remote\r\ncontrol of the infected machine.\r\nGrandoreiro in Action: Tactics \u0026 Techniques\r\nEstablishing a connection to the C2 server is just the beginning. Once communication is successful, Grandoreiro\r\nkicks off a series of actions designed to stay hidden, gather data, and prepare for further exploitation.\r\nIn this specific attack, ANY.RUN’s sandbox reveals a wide range of techniques triggered across multiple MITRE\r\nATT\u0026CK categories. You can see all of them mapped in the ATT\u0026CK tab of the analysis session:\r\nMITRE ATT\u0026CK tactics and techniques used by adversaries\r\nDetection \u0026 Response Tips\r\nDetecting Grandoreiro isn’t easy; it blends in well and uses clever tricks. But here’s how you can stay one step\r\nahead:\r\nWatch for phishing lures posing as PDF downloads (often .ZIP or .RAR archives).\r\nMonitor external DNS requests, especially to dns.google , right after execution.\r\nFlag geolocation lookups to services like ip-apicom; it’s a key part of Grandoreiro’s filtering tactic.\r\nhttps://hackread.com/grandoreiro-strikes-geofenced-phishing-attacks-latam/\r\nPage 4 of 5\n\nUse behavior-based analysis to catch post-execution tactics like file deletion, credential access, or system\r\ndiscovery.\r\nCatch the Attack Before It Spreads\r\nThe Grandoreiro campaign shows how modern threats evolve and why visibility into behavior matters more than\r\never.\r\nWith ANY.RUN sandbox, security teams can interact with malware in real time, uncover hidden tactics, and\r\nrespond with confidence. From phishing to post-exploitation, everything is mapped, visualized, and ready for\r\naction.\r\nSource: https://hackread.com/grandoreiro-strikes-geofenced-phishing-attacks-latam/\r\nhttps://hackread.com/grandoreiro-strikes-geofenced-phishing-attacks-latam/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://hackread.com/grandoreiro-strikes-geofenced-phishing-attacks-latam/"
	],
	"report_names": [
		"grandoreiro-strikes-geofenced-phishing-attacks-latam"
	],
	"threat_actors": [],
	"ts_created_at": 1775434639,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ecb66332fb8d7140451f1fa7bd39817b0bc7928.pdf",
		"text": "https://archive.orkl.eu/0ecb66332fb8d7140451f1fa7bd39817b0bc7928.txt",
		"img": "https://archive.orkl.eu/0ecb66332fb8d7140451f1fa7bd39817b0bc7928.jpg"
	}
}