{
	"id": "7fbf45d6-d224-4667-babf-f79928d1434c",
	"created_at": "2026-04-06T02:10:56.483964Z",
	"updated_at": "2026-04-10T13:13:05.893458Z",
	"deleted_at": null,
	"sha1_hash": "238998992d2552ac7e08c2457ba9b06d9fbf9712",
	"title": "Grandoreiro Malware Campaign: A Global Threat to Banking Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 87365,
	"plain_text": "Grandoreiro Malware Campaign: A Global Threat to Banking\r\nSecurity\r\nBy Ameer Owda\r\nPublished: 2024-06-07 · Archived: 2026-04-06 01:34:46 UTC\r\nThe Grandoreiro banking trojan was first observed in 2016. This threat is described as a highly sophisticated and\r\nadaptive Windows-based banking trojan. Grandoreiro uses a Malware-as-a-Service (MaaS) model, making it\r\neasily accessible to various cybercriminals. Its latest wave affected Central and South America, Africa, Europe and\r\nthe Indonesia-Pacific region, targeting more than 1,500 banks in more than 60 countries.\r\nBanks targeted by the Grandoreiro malware, distributed by countries (X Force)\r\nGrandoreiro uses advanced techniques to infiltrate systems and evade detection. These techniques include\r\nbypassing User Account Control (UAC), parsing Outlook .pst files to extract email addresses, using HTTP in\r\nCommand and Control (C2) communications, creating link files in system startup folders to ensure continuity,\r\nhijacking browser sessions, and stealing cookie data and credentials from web browsers such as Google Chrome.\r\nDescription of the Grandoreiro Malware Campaign\r\nThe Grandoreiro banking trojan has reemerged as a significant global threat to banking security, following a\r\nresurgence in March 2024 despite law enforcement efforts to dismantle its operations.\r\nFor more details, see the Grandoreiro Malware Campaign on SOCRadar Platform’s Campaigns page\r\nThis sophisticated Windows-based malware, first detected in 2016, has targeted over 1,500 banks across more\r\nthan 60 countries, employing advanced techniques to infiltrate systems and avoid detection. It uses a Malware-as-a-Service (MaaS) model, making it accessible to a broad spectrum of cybercriminals.\r\nThe phishing emails employed in the campaign frequently mimic legitimate organizations, including Mexico’s\r\nTax Administration Service (SAT), Mexico’s Federal Electricity Commission (CFE), and the South African\r\nRevenue Service (SARS). These emails typically contain links that direct recipients to ZIP files infected with\r\nmalware.\r\nSample email impersonating CFE, Mexico’s Federal Electricity Commission\r\nGrandoreiro Malware Capabilities\r\nGrandoreiro employs several sophisticated techniques to compromise systems, including abusing elevation control\r\nmechanisms, email account discovery, application layer protocol communication, boot or logon autostart\r\nexecution, browser session hijacking, and stealing credentials from web browsers.\r\nhttps://socradar.io/grandoreiro-malware-campaign-a-global-threat-to-banking-security/\r\nPage 1 of 5\n\nThe malware’s unique loader checks the legitimacy of the victim, gathers basic information, and then executes the\r\nGrandoreiro trojan. To bypass automated scanning, it employs a CAPTCHA pop-up and evades detection by\r\nincreasing the size of the executable. The malware uses a complex decryption process, involving multiple layers\r\nof encryption and custom algorithms, to obtain the plaintext strings required for its operation.\r\nGrandoreiro collects extensive data from infected machines, including IP addresses, operating system details, and\r\ninformation about installed software, all of which are sent to the C2 server. To avoid DNS-based blocking, it uses\r\nDNS over HTTPS and employs a Domain Generation Algorithm (DGA) to determine active C2 domains.\r\nEncrypted requests are sent to the C2 server to retrieve the final payload.\r\nGrandoreiro DGA visualization\r\nImpact of the Grandoreiro Malware Campaign\r\nThe impact of the Grandoreiro campaign has been devastating, resulting in financial fraud and significant\r\nmonetary losses. It affected various sectors such as banking, finance, manufacturing, public administration,\r\ntelecommunications, and energy and utilities.\r\nThe chart below depicts the top countries that have been targeted by the Grandoreiro malware:\r\nMalware infections in early May, distributed by countries\r\nMitigation Strategies\r\nTo combat Grandoreiro, organizations should implement a multi-layered defense strategy, including email and\r\nphishing defense, network traffic surveillance, blocking DGA domains, Windows registry surveillance,\r\nenhanced endpoint security, and user education programs.\r\nIn the event of an infection, critical steps include identifying and removing infected systems, updating and\r\npatching systems, monitoring and hardening network security, user account and access management, regular\r\naudits and monitoring, and incident response planning. In the face of the re-emergence of Grandoreiro, the\r\nfollowing are important countermeasures and defense strategies that organisations should take:\r\nEmail and Phishing Defence\r\nDeploy sophisticated email filtering systems, blocking emails from suspicious domains.\r\nProvide regular training to employees to raise awareness about recognizing phishing emails.\r\nConduct regular training sessions to raise awareness of phishing and educate users on safe browsing\r\nhabits.\r\nEncouraging verification of email senders and URLs before clicking or downloading attachments.\r\nNetwork Traffic Surveillance\r\nImplement anomaly detection systems that can detect abnormal traffic patterns.\r\nUsing network fragmentation, controlling the spread of malware, and providing isolation against\r\nsuspicious activities.\r\nhttps://socradar.io/grandoreiro-malware-campaign-a-global-threat-to-banking-security/\r\nPage 2 of 5\n\nBlocking DGA Domains\r\nUsing DNS filtering solutions, block domains created by Grandoreiro’s Domain Generation\r\nAlgorithm (DGA).\r\nProactively monitor and block new malicious domains by utilizing threat intelligence services.\r\nWindows Registry Surveillance \r\nRegularly audit Windows registry entries to detect and remove unauthorized changes.\r\nMonitor registry changes in real time using automated tools.\r\nEnhanced Endpoint Security\r\nEnsuring that all endpoints are equipped with up-to-date antivirus and anti-malware software.\r\nProviding advanced threat detection and remediation by implementing Endpoint Detection and\r\nResponse (EDR) solutions.\r\nThese strategies are critical to building an effective line of defense against complex and adaptive threats such as\r\nGrandoreiro.\r\nConclusion\r\nThe resilience and adaptability of the Grandoreiro banking trojan, even after a major law enforcement operation,\r\nunderscore the need for robust cybersecurity measures. Organizations must adopt advanced threat detection,\r\nregular audits, user education, and comprehensive endpoint protection to effectively counter this persistent threat.\r\nFor more information about the Grandoreiro Malware Campaign and many more campaigns, you can visit\r\nour Campaigns page on SOCRadar LABS.\r\nSOCRadar LABS, Campaigns page\r\nYARA RULES\r\nBelow is a YARA Rule, which may be used for the detection of Grandoreiro malware. You can find YARA Rules\r\nrelated to various malware with SOCRadar’s Threat Hunting Rules.\r\nrule Windows_Trojan_Grandoreiro_51236ba2 {\r\n meta:\r\n author = \"Elastic Security\"\r\n id = \"51236ba2-fdbc-4c46-b57b-27fc1e135486\"\r\n fingerprint = \"c3082cc865fc177d8cbabcfcf9fb67317af5f2d28e8eeb95eb04108a558d80d4\"\r\n creation_date = \"2022-08-23\"\r\n last_modified = \"2023-06-13\"\r\n description = \"Grandoreiro rule, target loader and payload\"\r\n threat_name = \"Windows.Trojan.Grandoreiro\"\r\n reference_sample = \"1bdf381e7080d9bed3f52f4b3db1991a80d3e58120a5790c3d1609617d1f439e\"\r\nhttps://socradar.io/grandoreiro-malware-campaign-a-global-threat-to-banking-security/\r\nPage 3 of 5\n\nseverity = 100\r\n arch_context = \"x86\"\r\n scan_context = \"file, memory\"\r\n license = \"Elastic License v2\"\r\n os = \"windows\"\r\n strings:\r\n $antivm0 = { B8 68 58 4D 56 BB 12 F7 6C 3C B9 0A 00 00 00 66 BA 58 56 ED B8 01 00 00 00 }\r\n $antivm1 = { B9 [4] 89 E5 53 51 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 BB 00 00 00 00 B8 01 00 00 00\r\n $xor0 = { 0F B7 44 70 ?? 33 D8 8D 45 ?? 50 89 5D ?? }\r\n $xor1 = { 8B 45 ?? 0F B7 44 70 ?? 33 C3 89 45 ?? }\r\n condition:\r\n all of them\r\n}\r\nIndicators of Compromise (IOCs)\r\nMD5 Hashes: \r\n5ba143b5cef7e0505de283091c288e35\r\n6b9217ef9cbd2b29bfc353261566be1a\r\n7b6defb3ec63cc0c4b8ff21bba79c830\r\ncf48f1fecfe2efbb3071e9c3eb2140e0\r\ne02c77ecaf1ec058d23d2a9805931bf8\r\n970f00d7383e44538cac7f6d38c23530\r\n5b7cbc023390547cd4e38a6ecff5d735\r\n56416fa0e5137d71af7524cf4e7f878d\r\n2ec2d539acfe23107a19d731a330f61c\r\n3b5c1137198d2aecfbc288f1d5693b4e\r\n1c913e1918f175e135f03146819cd743\r\n121a870dd7cdd01fc2baa6897d376492\r\nSHA1 Hashes:\r\n8db589e61c6a9aeb47cd35570318b321866a415d\r\n987d02620b4f57a667771f03ebb4c89ed3bf7cc8\r\nceafe62c098f30e369eb7dac19dc04e66248fa90\r\ne68804f8fed07df2bfd3f85d38db673f92d9137e\r\nc91b333502f6f43aef47441bbf06e7912cef8143\r\n3c928e286997daab447e0cfe13988dad9923fd96\r\nSHA256 Hashes: \r\n2d3ec83c7a50990b13221e9018fe0c2b0b7fd6d1534160adf56f5df836e46537\r\n880db8383100c53c408224a003b312b6d57954ef42d3663ec80e4157ba003a01\r\ne2dc1f6e45a7be302736e1b42bb97e6a7877f82e081389b7a8195ea22cf6a10c\r\nhttps://socradar.io/grandoreiro-malware-campaign-a-global-threat-to-banking-security/\r\nPage 4 of 5\n\n794ad887a11149f438ecc886b5dfc6fa0503c26b8e63f48cf0bf2dcc2cdc58bb\r\n45992c4d15aa21aa0a6a29bcc306a25cb13b7c6bebe8d5de5f51cd325259b285\r\n25acc903388cf6e4d65c0d8295da8688ece1be4a6e6bec9e5d467f91f6026a4a\r\nDomains and IP Addresses:\r\nvamosparaonde.com\r\nperfomacepnneu.me\r\nmantersaols.com\r\ndamacenapirescontab.com\r\nbarusgorlerat.me\r\natlasassessorcontabilidade.com\r\nassesorattlas.me\r\nhttp://vamosparaonde.com/segundona/\r\nhttp://mantersaols.com/MEX/MX/\r\nhttp://barusgorlerat.me/MX/\r\nhttp://atlasassessorcontabilidade.com/BRAZIL/\r\nhttp://assesorattlas.me/MX/\r\nhttp://assesorattlas.me/AR/\r\nhttp://167.114.137.244:48514/eyGbtR.xml\r\nhttp://167.114.137.244/$TIME\r\nhttp://15.188.63.127/$TIME\r\nhttp://15.188.63.127:36992/YSRYIRIb.xml\r\nhttp://15.188.63.127:36992/vvOGniGH.xml\r\nhttp://15.188.63.127:36992/zxeTYhO.xml\r\nhttp://35.180.117.32/$FISCALIGENERAL3489213839012\r\nhttp://35.181.59.254/$FISCALIGE54327065410839012?id_JIBBRS=DR-307494\r\nhttp://35.181.59.254/info99908hhzzb.zip\r\nhttp://52.67.27.173/deposito\r\nhttp://54.232.38.61/notificacion\r\nhttp://15.188.63.127:36992/zxeTYhO.xml”\r\nhttp://premiercombate.eastus.cloudapp.azure.com/PUMA/\r\nCVE Identifiers:\r\nCVE-2022-34233\r\nWhile we strive to provide accurate and up-to-date information about malware threats, it is important to exercise\r\ncaution when handling potential malware links or Indicators of Compromise (IOCs). Please only access such links\r\nor IoCs from trusted sources and take appropriate security measures to protect your system.\r\nSource: https://socradar.io/grandoreiro-malware-campaign-a-global-threat-to-banking-security/\r\nhttps://socradar.io/grandoreiro-malware-campaign-a-global-threat-to-banking-security/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://socradar.io/grandoreiro-malware-campaign-a-global-threat-to-banking-security/"
	],
	"report_names": [
		"grandoreiro-malware-campaign-a-global-threat-to-banking-security"
	],
	"threat_actors": [],
	"ts_created_at": 1775441456,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/238998992d2552ac7e08c2457ba9b06d9fbf9712.pdf",
		"text": "https://archive.orkl.eu/238998992d2552ac7e08c2457ba9b06d9fbf9712.txt",
		"img": "https://archive.orkl.eu/238998992d2552ac7e08c2457ba9b06d9fbf9712.jpg"
	}
}