{
	"id": "a5a2321c-b1ab-4acd-85e3-f9e9637236ac",
	"created_at": "2026-04-06T00:14:49.681954Z",
	"updated_at": "2026-04-10T03:20:22.979868Z",
	"deleted_at": null,
	"sha1_hash": "3121b539a3b59f5abfcaaf70eff89eec30c059a7",
	"title": "Trend Micro Collaborated with Interpol in Cracking Down Grandoreiro Banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 430606,
	"plain_text": "Trend Micro Collaborated with Interpol in Cracking Down\r\nGrandoreiro Banking Trojan\r\nPublished: 2024-04-24 · Archived: 2026-04-05 20:21:14 UTC\r\nMalware\r\nIn this blog entry, we discuss Trend Micro's contributions to an Interpol-coordinated operation to help Brazilian\r\nand Spanish law enforcement agencies analyze malware samples of the Grandoreiro banking trojan.\r\nBy: Joshua Paul Ignacio, Paul Pajares, Paul John Bardon Apr 24, 2024 Read time: 3 min (681 words)\r\nLast April 2023, the International Criminal Police Organization (Interpol) requested any indicators of compromise\r\n(IOCs) or information related to the banking trojan Grandoreiro, specifically for command-and-control (C\u0026C)\r\nservers. Grandoreiro has evolved with new features and capabilities since it first appeared around 2018, and has\r\nbeen primarily targeting users in Latin America and Europe. Trend Micro was one of the partners involved in\r\nInterpol’s operation to help Brazilian and Spanish law enforcement agencies (LEAs) analyze Grandoreiro malware\r\nsamples as part of their national cybercrime investigations. The Interpol-coordinated operationopen on a new tab\r\nresulted in the arrest of five administrators behind a Grandoreiro operation, as announcedopen on a new tab by the\r\nBrazilian authorities.\r\nGrandoreiro spreads through phishing emails, malicious attachments, or links leading to fake websites. These\r\nemails often impersonate legitimate organizations, such as banks or financial institutions, to trick users into\r\ndownloading and executing the malware. Once installed on a victim’s system, Grandoreiro operates as a typical\r\nbanking trojan, aiming to steal sensitive financial information. Over time, Grandoreiro has undergone various\r\nupdates and modifications, enhancing its evasion techniques and obfuscation methods to evade detection by\r\nantivirus software and security measures.\r\nTrend’s Contributions\r\nHere’s the summary of Trend’s contributions to the operation:\r\nTrend threat intelligence data from January to April 2023 showed that Argentina recorded the highest\r\nnumber of detections related to Grandoreiro with 1,118 detections, followed by Turkey with 322\r\ndetections, and Mexico with 265 detections (Figure 1).\r\nhttps://www.trendmicro.com/en_us/research/24/d/trend-micro-collaborated-with-interpol-in-cracking-down-grandore.html\r\nPage 1 of 5\n\nFigure 1. Highest number of Grandoreiro detections by country\r\nTrend provided an additional list of banks/strings found on a sample. These were utilized to monitor the\r\nbrowsing activity of the user by cross-referencing the window to check if it matches specific strings. The\r\nlist of strings can be accessed at the end of this article.\r\nDuring the investigation, it was discovered that Grandoreiro utilized domain generation algorithms (DGAs)\r\nfor its C\u0026C communications. To gain further insights, Trend generated all possible domains from the list of\r\nstrings and subdomains found on multiple samples. As a result, more than 4,000 DGAs were generated,\r\nproviding valuable information to pivot to the C\u0026C servers used by Grandoreiro at that time.\r\nThe admin panel is crucial for investigation on the scale of attack of threat actors and the identification of\r\nvictims. Using the open-source tool URLScan (urlscan.io), Trend recommended inspecting three active\r\nadmin panels with their respective locations. The following were the URLs of the admin panels and the\r\nscreenshot of login page (Figure 2):\r\n185.191.228[.]227/autorizar.php (United States)\r\n192.95.6[.]196/23112022new/autorizar.php (Canada)\r\n51.77.193[.]20/eliteseguros/autorizar.php (France)\r\nhttps://www.trendmicro.com/en_us/research/24/d/trend-micro-collaborated-with-interpol-in-cracking-down-grandore.html\r\nPage 2 of 5\n\nFigure 2. Screenshot of the login page\r\nTrend recommended to inspect the file storage Dropbox where the malicious email attachment was hosted\r\nand contained a name of the uploader. It was highly likely a fake name although we believe it can help in\r\nattribution. Figures 3 and 4 show the Dropbox accounts with the names “RITA MENDES” and “Nohemi\r\nValdes”, respectively:\r\nFigure 3. Dropbox storage with the uploader name “RITA MENDEZ”\r\nhttps://www.trendmicro.com/en_us/research/24/d/trend-micro-collaborated-with-interpol-in-cracking-down-grandore.html\r\nPage 3 of 5\n\nFigure 4. Dropbox storage with the uploader name “Nohemi Valdes”\r\nTrend provided an analysis of Grandoreiro’s utilization of VBScript (VBS) for its malicious routine, as\r\nshown in Figure 5.\r\nFigure 5. Infection chain of Grandoreiro using VBS\r\nCooperation with Interpol\r\nThese contributions are the latest in Trend’s long track record of successful collaborations with international law\r\nenforcement. Collaborations between law enforcement and the private sector provide security organizations and\r\nindustry specialists the opportunity to share their expertise, resources, and years-long experience with LEAs such\r\nhttps://www.trendmicro.com/en_us/research/24/d/trend-micro-collaborated-with-interpol-in-cracking-down-grandore.html\r\nPage 4 of 5\n\nas Interpol to enhance their cybercrime combating efforts in effectively targeting and dismantling malicious\r\nactors.\r\nTrend’s ongoing cooperation with Interpol has been instrumental in a series of prominent crackdowns throughout\r\nthe years: These include the dismantling of the 16shop phishing kitopen on a new tab and the disruption of African\r\ncybercrime networks during Africa Cyber Surge I and IIopen on a new tab in 2023, the apprehension of business\r\nemail compromise (BEC) actors under Operation Killer Beeopen on a new tab in 2022, and the capture of REvil\r\nand Cl0p syndicate members as part of Operation Cycloneopen on a new tab in 2021. This partnership endures as\r\nTrend persists in its commitment to securing our increasingly connected world.\r\nThe list of banks/strings found on a sample can be viewed hereopen on a new tab.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/d/trend-micro-collaborated-with-interpol-in-cracking-down-grandore.html\r\nhttps://www.trendmicro.com/en_us/research/24/d/trend-micro-collaborated-with-interpol-in-cracking-down-grandore.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/24/d/trend-micro-collaborated-with-interpol-in-cracking-down-grandore.html"
	],
	"report_names": [
		"trend-micro-collaborated-with-interpol-in-cracking-down-grandore.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434489,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3121b539a3b59f5abfcaaf70eff89eec30c059a7.pdf",
		"text": "https://archive.orkl.eu/3121b539a3b59f5abfcaaf70eff89eec30c059a7.txt",
		"img": "https://archive.orkl.eu/3121b539a3b59f5abfcaaf70eff89eec30c059a7.jpg"
	}
}