{
	"id": "44787423-2c11-42a5-9fef-a361c316e4ff",
	"created_at": "2026-04-10T03:21:28.950333Z",
	"updated_at": "2026-04-10T03:22:17.459626Z",
	"deleted_at": null,
	"sha1_hash": "255a89402fd1fc5f8035bf5449e96d3624bd6230",
	"title": "Police disrupt Grandoreiro banking malware operation, make arrests",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2767598,
	"plain_text": "Police disrupt Grandoreiro banking malware operation, make\r\narrests\r\nBy Bill Toulas\r\nPublished: 2024-01-30 · Archived: 2026-04-10 03:18:49 UTC\r\nThe Federal Police of Brazil and cybersecurity researchers have disrupted the Grandoreiro banking malware\r\noperation, which has been targeting Spanish-speaking countries with financial fraud since 2017.\r\nThe operation was supported by ESET, Interpol, the National Police in Spain, and Caixa Bank, all providing\r\ncritical data leading to identifying and arresting individuals controlling the malware's infrastructure.\r\nBrazil's federal police announced five arrests and thirteen search and seizure actions in Sao Paulo, Santa Catarina,\r\nPara, Goias, and Mato Grosso.\r\nhttps://www.bleepingcomputer.com/news/security/police-disrupt-grandoreiro-banking-malware-operation-make-arrests/\r\nPage 1 of 5\n\n\"This Tuesday, January 30, the Federal Police launched Operation Grandoreiro to investigate the activities of a\r\ncriminal group responsible for electronic banking fraud, using banking malware with victims outside Brazil,\" the\r\nBrazilian police said in a machine-translated press release.\r\n\"The criminal structure is suspected of moving at least 3.6 million euros through fraud since 2019.\"\r\nAccording to Caixa Bank's records, the malware operators are linked to fraud that has caused roughly\r\n$120,000,000 in losses.\r\nThe Grandoreiro malware \r\nGrandoreiro is a Windows banking trojan first documented by ESET in 2020, which has been one of the primary\r\nthreats to Spanish speakers since the beginning of its operation in 2017.\r\nThe malware actively monitors the foreground window, looking for web browser processes related to banking\r\nactivities, and if there's a match, it initiates communication with its command and control (C2) servers.\r\nAttackers must manually interact with the malware to conduct financial theft, like loading the right web injections,\r\nindicating a targeted and hands-on approach.\r\nThe malware can serve victims fake pop-up windows that phish for credentials, simulate mouse and keyboard\r\ninput to help in remote navigation, send live feed of the victim's screen, block local viewing to hinder detection\r\nand intervention, and log keystrokes.\r\nGrandoreiro developers released frequent updates to add new features and enhance the malware's capabilities,\r\nwhich indicates its operators' continued use of the project.\r\nIn August 2022, a Zscaler report presented a Grandoreiro campaign targeting high-value company employees in\r\nSpain and Mexico.\r\nTracking ops and victims\r\nESET could trace Grandoreiro's servers despite the malware's use of a Domain Generation Algorithm (DGA)\r\nthrough a combination of tracking and analysis techniques.\r\nThe researchers analyzed the DGA mechanism, which generates a new domain every day, and found that it uses\r\nthe current date and hardcoded configuration, allowing them to predict future domains.\r\n\"ESET has extracted a total of 105 different dga_ids from the Grandoreiro samples known to us,\" explains ESET.\r\n\"79 of these configurations at least once generated a domain that resolved to an active C\u0026C server IP address\r\nduring the course of our tracking.\"\r\nThe cybersecurity firm observed patterns where domains generated by different DGA configurations resolved to\r\nthe same IP addresses, indicating multiple victims connected to the same C2 server.\r\nhttps://www.bleepingcomputer.com/news/security/police-disrupt-grandoreiro-banking-malware-operation-make-arrests/\r\nPage 2 of 5\n\nDiagram showing the overlap\r\nSource: ESET\r\nUsing this lead, Grandoreiro's infrastructure was clustered, and ESET could gain insights into the operation's\r\nvictimology and volume.\r\nMost of the victims are in Spain, Mexico, and Brazil, while the most impacted operating system is Windows 10,\r\nfollowed by 7, 8, and 11.\r\nhttps://www.bleepingcomputer.com/news/security/police-disrupt-grandoreiro-banking-malware-operation-make-arrests/\r\nPage 3 of 5\n\nGrandoreiro victims by Windows version\r\nSource: ESET\r\nESET reports seeing 551 unique connections to Grandoreiro's infrastructure daily, with 114 being \"new daily\r\nvictims.\"\r\nIf we extrapolate this to the duration of a year, Grandoreiro potentially infected over 41,000 new computers.\r\nAt this time, it is unclear if the arrested individuals held a leading role in the operation or if there's a risk of\r\nGrandoreiro returning in the future using new infrastructure.\r\nStill, the latest disruption has brought the malware operations to a complete halt for now.\r\nhttps://www.bleepingcomputer.com/news/security/police-disrupt-grandoreiro-banking-malware-operation-make-arrests/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one\r\nwithout the other.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three\r\ndiagnostic questions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/police-disrupt-grandoreiro-banking-malware-operation-make-arrests/\r\nhttps://www.bleepingcomputer.com/news/security/police-disrupt-grandoreiro-banking-malware-operation-make-arrests/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/police-disrupt-grandoreiro-banking-malware-operation-make-arrests/"
	],
	"report_names": [
		"police-disrupt-grandoreiro-banking-malware-operation-make-arrests"
	],
	"threat_actors": [],
	"ts_created_at": 1775791288,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/255a89402fd1fc5f8035bf5449e96d3624bd6230.pdf",
		"text": "https://archive.orkl.eu/255a89402fd1fc5f8035bf5449e96d3624bd6230.txt",
		"img": "https://archive.orkl.eu/255a89402fd1fc5f8035bf5449e96d3624bd6230.jpg"
	}
}