{
	"id": "9a98faba-79b6-40e4-8588-bc9f48c6e1c7",
	"created_at": "2026-04-06T00:18:22.660615Z",
	"updated_at": "2026-04-10T03:31:13.523418Z",
	"deleted_at": null,
	"sha1_hash": "132f99b41c24fa252fec185a603a10a11f94f9fd",
	"title": "Grandoreiro Trojan Distributed via Contabo-Hosted Servers in Phishing Campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 984630,
	"plain_text": "Grandoreiro Trojan Distributed via Contabo-Hosted Servers in\r\nPhishing Campaigns\r\nPublished: 2025-03-27 · Archived: 2026-04-05 15:02:30 UTC\r\nCybercriminals are reviving the Grandoreiro banking trojan. It is actively being used in large-scale phishing\r\ncampaigns, primarily targeting banking users in Latin America and Europe. Cybercriminals are leveraging VPS\r\nhosting providers and obfuscation techniques to evade detection. The malware continuously adapts, using\r\ndynamic URLs and social engineering to maximize its reach and effectiveness.\r\nThis post presents the findings of Forcepoint X-Labs' detailed research into a recent Grandoreiro campaign which\r\ntargets users in Mexico, Argentina and Spain through phishing emails impersonating the tax agency to trick users.\r\nAttackers send fraudulent government emails embedded with malicious links to well-known legitimate hosting\r\nservices provider Contabo. It leads victims to download an obfuscated Visual Basic script and a disguised EXE\r\npayload designed to steal credentials.  Occasionally, malicious actors employ encrypted or password-secured\r\ncompressed files to conceal and deliver harmful software, making it more challenging for security systems to\r\nidentify and block the threat.\r\nFig. 1 - Grandoreiro attack chain\r\nEmail Analysis:\r\nEmail is sent with High Importance Tax penalty warnings in Spanish language and spoofed sender impersonating\r\na tax agency to trick users. It also leverages the well-known Ovhcloud sender infrastructure and GNU Mailutils\r\n3.7.\r\nhttps://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain\r\nPage 1 of 9\n\nFig. 2 - Phishing tax document\r\nThe email contains malicious links which redirects users to VPS or dedicated server hosted on Contabo's\r\ninfrastructure like vmi\\d{7}[.]contaboserver[.]net geofenced URL. Once a user clicks on “Download PDF” button\r\nthen it will download zip payload from another cloud storage and file-sharing service mediafire.com.\r\nFig. 3 - Embedded link opens to contaboserver.net\r\nThis subdomain of the URL changes in every campaign like vmi\\d{7}[.]contaboserver[.]net. Subdomains of\r\ncontaboserver[.]net, such as vmi2500240[.]contaboserver[.]net, are usually linked to specific virtual machines or\r\nhttps://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain\r\nPage 2 of 9\n\nservers hosted on Contabo's network. We have observed some supporting elements to this main malicious\r\nwebpage are hosted on this subdomain.\r\nFig. 4 - Supporting elements hosted on a Contaboserver.net domain\r\nClicking on the “Download PDF” button adds a JavaScript command which calls a declared async () function\r\nwhich checks for browser and platform using navigator.userAgent. From there, it retrieves a Mediafire.net URL\r\nfrom a PHP file, which then redirects to download the next stage payload:\r\nhttps://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain\r\nPage 3 of 9\n\nFig. 5 - Explicitly added JavaScript in HTML\r\nhttps://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain\r\nPage 4 of 9\n\nFig. 6 - Code of hosted JavaScript file\r\nOnce a response is received from the PHP in JSON format the .zip file gets downloaded on the system. JavaScript\r\nalso checks the number of downloads.\r\nhttps://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain\r\nPage 5 of 9\n\nFig. 7 - Hosted PHP with mediafire.com URL\r\nVBS Analysis:\r\nThe downloaded zip is sometimes password protected, and it contains large obfuscated VBS file. It contains lot of\r\nunwanted characters “:” used for obfuscation and it contains embedded Zip file in base64 encoded format and in\r\nchunks.\r\nFig. 8 - VBS obfuscated code\r\nFig. 9 - VBS deobfuscated code\r\nThis VBS concatenates large variables and tries to decode a base64 stream designed to drop a .zip file with\r\nrandom name in “C:\\users\\Public”. Next, it tries to extract a .zip in the system directory and drops an EXE file It\r\nkeeps track of exe file path in a “.txt” file, then executes the “.exe” payload using Wscript.shell.\r\nEXE Analysis:\r\nExtracted 32-bit exe file is compiled with Delphi and its version info claims to be binary from “ByteCore\r\nTechnologies 706092 Inc.”\r\nhttps://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain\r\nPage 6 of 9\n\nFig. 10 - EXE version info\r\nIt contains a PDF icon and throws Acrobat Reader error pop-up during execution. If a user clicks on the OK\r\nbutton, it performs a C2 connection with an AWS IP address to then start the stealing activity.\r\nFig. 11 - Error prompt \r\nThis file is compiled with an Embarcadero Delphi compiler. It uses its own Embarcadero URI Client to connect\r\nwith a remote server to act as user agent. It then connects to a C\u0026C server 18[.]212[.]216[.]95:42195 and\r\nhxxp://18[.]212[.]216[.]95:42195/AudioCoreBCPbSecureNexusLink.xml through unusual port numbers. It checks\r\nfor “C:\\Program Files (x86)\\Bitcoin” for possible personal data to steal. \r\nIt also checks for system GUID from the registry, computer name and language from registry entry\r\n “HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions.”\r\nhttps://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain\r\nPage 7 of 9\n\nConclusion:\r\nCybercriminals are spreading the Grandoreiro banking trojan in Mexico, Argentina and Spain through phishing\r\nemails impersonating a tax agency. The campaign leverages Contabo-hosted servers and Mediafire servers to\r\ndeliver malware. The attack involves malicious ZIP files containing obfuscated VBS scripts that drop a Delphi-based EXE. Once executed, the malware steals credentials, searches for Bitcoin wallet directories connects to a C2\r\nserver, Attackers frequently change subdomains under contaboserver[.]net to evade detection. Users should stay\r\ncautious, avoid unknown emails and use cybersecurity tools to protect against these threats.\r\nProtection statement:\r\nForcepoint customers are protected against this threat at the following stages of attack:\r\nStage 2 (Lure) – Delivered via suspicious URL embedded in an email. Emails and embedded URLs are\r\nblocked by email analytics and web analytics.\r\nStage 3 (Redirect) – Blocked re-directional medifire.net URLs which downloads stage payload.\r\nStage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.\r\nStage 6 (Call Home) - Blocked C\u0026C IP addresses\r\nNGFW protection statement:\r\nThe dropper files are blocked by the GTI file reputation service if it is enabled.\r\nIOCs:\r\nEmbedded Download URLs:\r\nhxxps://vmi2500223[.]contaboserver[.]net\r\nhxxps://vmi2511216[.]contaboserver[.]net\r\nhxxps://vmi2511206[.]contaboserver[.]net\r\nhxxps://vmi2526272[.]contaboserver[.]net\r\nhxxps://vmi2529183[.]contaboserver[.]net/\r\nhxxps://vmi2492020[.]contaboserver[.]net/\r\nhxxps://vmi2527550[.]contaboserver[.]net/\r\nRe-directional URLs:\r\nhxxps://www[.]mediafire[.]com/file/ngb9r5swxbuz7xp/Ficha91159905YGSU02704481_2025.zip/file\r\nhxxps://www[.]mediafire[.]com/file/qfyr6978p7s5nf2/DB#78613179435_SGJ9345624.zip/file\r\nC2s:\r\n98[.]81[.]92[.]194:30154\r\n18[.]212[.]216[.]95:42195\r\nFile hashes:\r\n7ED66D3FE441216D7DD85DDA1A780C4404D8D8AF – EXE\r\n284782A579307F7B6D6C7C504ECCC05EF7573FD2 - EXE\r\nhttps://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain\r\nPage 8 of 9\n\n9D767A9830894B210C980F3ECF8494A1B1D3C813   - ZIP\r\n7A32D66832C6C673E9C0A5E0EE80C4310546093B - ZIP\r\n0372A8BB0B04927E866C50BEF993CDA8E2B8521D – VBS\r\nA9919444948790ABE18F111EEEF91BEA2C1D4DD0 - VBS\r\nSource: https://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain\r\nhttps://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain"
	],
	"report_names": [
		"grandoreiro-trojan-targets-mexico-argentina-spain"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434702,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/132f99b41c24fa252fec185a603a10a11f94f9fd.pdf",
		"text": "https://archive.orkl.eu/132f99b41c24fa252fec185a603a10a11f94f9fd.txt",
		"img": "https://archive.orkl.eu/132f99b41c24fa252fec185a603a10a11f94f9fd.jpg"
	}
}