{ "id": "bce078a9-3443-4993-bdd6-5ea17a19ac38", "created_at": "2026-04-06T00:21:12.229027Z", "updated_at": "2026-04-10T03:36:48.270723Z", "deleted_at": null, "sha1_hash": "a39e9309fa79d0edc33484e389eb45a374338486", "title": "Grandoreiro, the global trojan with grandiose goals", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1443900, "plain_text": "Grandoreiro, the global trojan with grandiose goals\r\nBy GReAT\r\nPublished: 2024-10-22 · Archived: 2026-04-05 18:16:20 UTC\r\nGrandoreiro is a well-known Brazilian banking trojan — part of the Tetrade umbrella — that enables threat actors to\r\nperform fraudulent banking operations by using the victim’s computer to bypass the security measures of banking\r\ninstitutions. It’s been active since at least 2016 and is now one of the most widespread banking trojans globally.\r\nINTERPOL and law enforcement agencies across the globe are fighting against Grandoreiro, and Kaspersky is\r\ncooperating with them, sharing TTPs and IoCs. However, despite the disruption of some local operators of this trojan in\r\n2021 and 2024, and the arrest of gang members in Spain, Brazil, and Argentina, they’re still active. We now know for\r\nsure that only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over\r\nthe world, further developing new malware and establishing new infrastructure.\r\nEvery year we observe new Grandoreiro campaigns targeting financial entities, using new tricks in samples with low\r\ndetection rates by security solutions. The group has evolved over the years, expanding the number of targets in every new\r\ncampaign we tracked. In 2023, the banking trojan targeted 900 banks in 40 countries — in 2024, the newest versions of\r\nthe trojan targeted 1,700 banks and 276 crypto wallets in 45 countries and territories, located on all continents of the\r\nworld. Asia and Africa have finally joined the list of its targets, making it a truly global financial threat. In Spain alone,\r\nGrandoreiro has been responsible for fraudulent activities amounting to 3.5 million euros in profits, according to\r\nconservative estimates — several failed attempts could have yielded beyond 110 million euros for the criminal\r\norganization.\r\nIn this article, we will detail how Grandoreiro operates, its evolution over time, and the new tricks adopted by the\r\nmalware, such as the usage of 3 DGAs (domain generation algorithm) in its C2 communications, the adoption of\r\nciphertext stealing encryption (CTS), and mouse behavior tracking, aiming to bypass anti-fraud solutions. This evolution\r\nculminates with the appearance of lighter, local versions, now focused on Mexico, positioning the group as a challenge\r\nfor the financial sector, law enforcement agencies and security solutions worldwide.\r\nGrandoreiro: One malware, many operators, fragmented versions\r\nGrandoreiro is a banking trojan of Brazilian origin that has been active since at least 2016. Grandoreiro is written in the\r\nDelphi programming language, and there are many versions, indicating that different operators are involved in developing\r\nthe malware.\r\nSince 2016, we have seen the threat actors behind Grandoreiro operations regularly improving their techniques to stay\r\nunmonitored and active for a longer time. In 2020, Grandoreiro started to expand its attacks in Latin America and later in\r\nEurope with great success, focusing its efforts on evading detection using modular installers.\r\nGrandoreiro generally operates as Malware-as-a-Service, although it’s slightly different from other banking trojan\r\nfamilies. You won’t find an announcement on underground forums selling the Grandoreiro package — it seems that\r\naccess to the source-code or builders of the trojan is very limited, only for trusted partners.\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 1 of 16\n\nAfter the arrests of some operators, Grandoreiro split its codebase into lighter versions, with fewer targets. These\r\nfragmented versions of the trojan are a reaction to the recent law enforcement operations. This discovery is supported by\r\nthe existence of two distinct codebases in simultaneous campaigns: newer samples featuring updated code, and older\r\nsamples which rely on the legacy codebase, now targeting only users in Mexico — customers of around 30 banks.\r\n2022 and 2023 campaigns\r\nGrandoreiro campaigns commonly start with a phishing email written in the target country language. For example, the\r\nemails distributed in most of Latin America are in Spanish. However, we also saw the use of Google Ads (malvertising)\r\nin some Grandoreiro campaigns to drive users to download the initial stage of infection.\r\nPhishing emails use different lures to make the victim interact with the message and download the malware. Some\r\nmessages refer to a pending phone bill, others mimic a tax notification, and son. In early 2022 campaigns, the malicious\r\nemail included an attached PDF. As soon as the PDF is opened, the victim is prompted with a blurred image except for a\r\npart containing “Visualizar Documento” (“View Document” in Spanish). When the victim clicks the button, they are\r\nredirected to a malicious web page which prompts them to download a ZIP file. Since May 2022, Grandoreiro campaigns\r\ninclude a malicious link inside the email body that redirects the victim to a website that then downloads a malicious ZIP\r\narchive on the victim’s machine. These ZIP archives commonly contain two files: a legitimate file and a Grandoreiro\r\nloader, which is responsible for downloading, extracting and executing the final Grandoreiro payload.\r\nThe Grandoreiro loader is delivered in the form of a Windows Installer (MSI) file that extracts a dynamic link library\r\n(DLL) file and executes a function embedded in the DLL. The function will do nothing if the system language is English,\r\nbut otherwise the final payload is downloaded. Most likely, this means that the analyzed versions didn’t target English-speaking countries. There have also been other cases where a VBS file is used instead of the DLL to execute the final\r\npayload.\r\nGrandoreiro recent infection flow\r\nAs for the malware itself, in August 2022 campaigns, the final payload was an incredibly big 414 MB portable executable\r\nfile disguised with a PNG extension (which is later renamed to EXE dynamically by the loader). It masked itself as an\r\nASUS driver using the ASUS icon and was signed with an “ASUSTEK DRIVER ASSISTANTE” digital certificate.\r\nIn 2023 campaigns, Grandoreiro used samples with rather low detection rates. Initially, we identified three samples\r\nrelated to these campaigns, compiled in June 2023. All of them were portable executables, 390 MB big, with the original\r\nname “ATISSDDRIVER.EXE” and internal name “ATIECLXX.EXE”. The main purpose of these samples is to monitor\r\nthe victims’ visits to financial institution websites and steal their credentials. The malware also allows threat actors to\r\nremotely control the victim machines and perform fraudulent transactions within them.\r\nIn the campaign involving the discussed samples, the malware tries to impersonate an AMD External Data SSD driver\r\nand is signed with an “Advice informations” digital certificate in order to appear legitimate and evade detection.\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 2 of 16\n\nImplant impersonating AMD driver\r\nDigital certificate used by Grandoreiro malware\r\nIn both cases, the malware is an executable that registers itself to be launched with Windows. However, it is worth noting\r\nthat in the majority of Grandoreiro attacks, a DLL sideloading technique is employed, using legitimate binaries that are\r\ndigitally signed to run the malware.\r\nThe considerable size of the executables can be explained by the fact that Grandoreiro utilizes a binary padding technique\r\nto inflate the size of the malicious files as a way to evade sandboxes. To achieve this, the attackers add multiple BMP\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 3 of 16\n\nimages to the resource section of the binary. In the example below, the sample included several big images. The sizes of\r\nthe highlighted images are around 83.1 MB, 78.8 MB, 75.7 and 37.6 MB. However, there are more of them in the binary,\r\nand together all the images add ~376 MB to the file.\r\nBinary padding used by Grandoreiro\r\nIn both 2022 and 2023 campaigns, Grandoreiro used a well-known XOR-based string encryption algorithm that is shared\r\nwith other Brazilian malware families. The difference is the encryption key. For Grandoreiro, some magic values were the\r\nfollowing:\r\nDate Encryption key\r\nMarch\r\n2022\r\nF5454DNBVXCCEFD3EFMNBVDCMNXCEVXD3CMBKJHGFM\r\nMarch\r\n2022\r\nXD3CMBKJCEFD3EFMF5454NBVDNBVXCCMNXCEVDHGFM\r\nAugust\r\n2022\r\nBVCKLMBNUIOJKDOSOKOMOI5M4OKYMKLFODIO\r\nJune\r\n2023\r\nB00X02039AVBJICXNBJOIKCVXMKOMASUJIERNJIQWNLKFMDOPVXCMUIJBNOXCKMVIOKXCJ\r\nUIHNSDIUJNRHUQWEBGYTVasuydhosgkjopdf\r\nThe various checks and validations aimed at avoiding detection and complicating malware analysis were also changed in\r\nthe 2022 and 2023 versions. In contrast with the older Grandoreiro campaigns, we found that some of the tasks that were\r\npreviously executed by the final payload are now implemented in the first stage loader. These tasks include security\r\nchecks, anti-debugging techniques, and more. This represents a significant change from previous campaigns.\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 4 of 16\n\nOne of these tasks is the use of the geolocation service http://ip-api.com/json to gather the target’s IP address location\r\ndata. In a campaign reported in May 2023 by Trustwave, this task is performed by a JScript code embedded in an MSI\r\ninstaller before the delivery of the final payload.\r\nThere are numerous other checks that have been transferred into the loader, although some of them are still present in the\r\nbanking trojan itself. Grandoreiro gathers host information such as operating system version, hostname, display monitor\r\ninformation, keyboard layout, current time and date, time zone, default language and mouse type. Then the malware\r\nretrieves the computer name and compares it against the following strings that correspond to known sandboxes:\r\nWIN-VUA6POUV5UP;\r\nWin-StephyPC3;\r\ndifusor;\r\nDESTOP2457;\r\nJOHN-PC.\r\nComputer name validation\r\nIt also collects the username and verifies if it matches with the “John” or “WORK” strings. If any of these validations\r\nmatch, the malware stops its execution.\r\nGrandoreiro includes detection of tools commonly used by security analysts, such as regmon.exe, procmon.exe,\r\nWireshark, and so on. The process list varies across the malware versions, and it was significantly expanded in 2024, so\r\nwe’ll share the full list later in this post. The malware takes a snapshot of currently executing processes in the system\r\nusing the CreateToolhelp32Snapshot() Windows API and goes through the process list using Process32FirstW() and\r\nProcess32NextW(). If any of the analysis tools exists in the system, the malware execution is terminated.\r\nGrandoreiro also checks the directory in which it is being executed. If the execution paths are D:\\programming or\r\nD:\\script, it terminates itself.\r\nAnother anti-debugging technique implemented in the trojan involves checking for the presence of a virtual environment\r\nby reading data from the I/O Port “0x5658h” (VX) and looking for the VMWare magic number 0x564D5868. The\r\nmalware also uses the IsDebuggerPresent() function to determine whether the current process is being executed in the\r\ncontext of a debugger.\r\nLast but not least, Grandoreiro searches for anti-malware solutions such as AVAST, Bitdefender, Nod32, Kaspersky,\r\nMcAfee, Windows Defender, Sophos, Virus Free, Adaware, Symantec, Tencent, Avira, ActiveScan and CrowdStrike. It\r\nalso looks for banking security software, such as Topaz OFD and Trusteer.\r\nIn terms of the core functionality, some Grandoreiro samples check whether the following programs are installed:\r\nCHROME.EXE;\r\nMSEDGE.EXE;\r\nFIREFOX.EXE;\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 5 of 16\n\nIEXPLORE.EXE;\r\nOUTLOOK.EXE;\r\nOPERA.EXE;\r\nBRAVE.EXE;\r\nCHROMIUM.EXE;\r\nAVASTBROWSER.EXE;\r\nVeraCrypt;\r\nNortonvpn;\r\nAdobe;\r\nOneDrive;\r\nDropbox.\r\nIf any of these is present on the system, the malware stores their names to further monitor user activity in them.\r\nGrandoreiro also checks for crypto wallets installed on the infected machine. The malware includes a clipboard replacer\r\nfor crypto wallets, monitoring the user’s clipboard activity and replacing the clipboard data with the threat actor keys.\r\nClipboard replacer\r\n2024 campaigns\r\nDuring a certain period of time in February 2024, a few days after the announcement of the arrest of some of the gang’s\r\noperators in Brazil, we observed a significant increase in emails detected by spam traps. There was a notable prevalence\r\nof Grandoreiro-themed messages masquerading as Mexican CFDI communications. Mexican CFDI, short for\r\n“Comprobante Fiscal Digital por Internet” is an electronic invoicing system administered by the Mexican Tax Authority\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 6 of 16\n\n(SAT — Servicio de Administración Tributaria). It facilitates the creation, transmission, and storage of digital tax\r\ndocuments, mandatory for businesses in Mexico to record transactions for tax purposes.\r\nIn our investigation, we have acquired 48 samples associated not only with this instance but also with various other\r\ncampaigns.\r\nNotably, this new campaign added a new sandbox detection mechanism, namely a CAPTCHA before the execution of the\r\nmain payload, as a way to avoid the automatic analysis used by some companies:\r\nGrandoreiro anti-sandbox CAPTCHA\r\nIt is worth noting that in the 2024 Grandoreiro campaigns, the new sandbox evasion code has been implemented in the\r\ndownloader. Although the main sample still has anti-sandbox functionality too, if a sandbox is detected, it is simply not\r\ndownloaded. Besides that, the new version also added detection of many tools to its arsenal, aiming to avoid analysis.\r\nHere is whole list of analysis tools detected by the newest versions:\r\nregmon.exe hopper.exe nessusd.exe OmniPeek.exe\r\nprocmon.exe jd-gui.exe PacketSled.exe netmon.exe\r\nfilemon.exe canvas.exe prtg.exe colasoft.exe\r\nWireshark.exe pebrowsepro.exe cain.exe netwitness.exe\r\nProcessHacker.exe gdb.exe NetworkAnalyzerPro.exe netscanpro.exe\r\nPCHunter64.exe scylla.exe OmniPeek.exe packetanalyzer.exe\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 7 of 16\n\nPCHunter32.exe volatility.exe netmon.exe packettotal.exe\r\nJoeTrace.exe cffexplorer.exe colasoft.exe tshark.exe\r\nollydbg.exe angr.exe netwitness.exe windump.exe\r\nida.exe pestudio.exe netscanpro.exe PRTG Probe.exe\r\nx64dbg.exe die.exe packetanalyzer.exe NetFlowAnalyzer.exe\r\ncheatengine.exe ethereal.exe packettotal.exe SWJobEngineWorker2x64.exe\r\nollyice.exe Capsa.exe tshark.exe NetPerfMonService.exe\r\nfiddler.exe tcpdump.exe windump.exe SolarWinds.DataProcessor.exe\r\ndevenv.exe NetworkMiner.exe PRTG Probe.exe ettercap.exe\r\nradare2.exe smartsniff.exe NetFlowAnalyzer.exe apimonitor.exe\r\nghidra.exe snort.exe SWJobEngineWorker2x64.exe apimonitor-x64.exe\r\nfrida.exe pcap.exe NetPerfMonService.exe apimonitor-x32.exe\r\nbinaryninja.exe SolarWinds.NetPerfMon.exe SolarWinds.DataProcessor.exe x32dbg.exe\r\ncutter.exe nmap.exe ettercap.exe x64dbg.exe\r\nscylla.exe apimonitor.exe PCHunter64.exe x96dbg.exe\r\nvolatility.exe apimonitor-x64.exe PCHunter32.exe fakenet.exe\r\ncffexplorer.exe apimonitor-x32.exe JoeTrace.exe hexworkshop.exe\r\nangr.exe x32dbg.exe ollydbg.exe Dbgview.exe\r\npestudio.exe x64dbg.exe ida.exe sysexp.exe\r\ndie.exe x96dbg.exe x64dbg.exe vmtoolsd.exe\r\nethereal.exe fakenet.exe cheatengine.exe dotPeek.exe\r\nCapsa.exe hexworkshop.exe ollyice.exe procexp64.exe\r\ntcpdump.exe Dbgview.exe fiddler.exe procexp64a.exe\r\nNetworkMiner.exe sysexp.exe devenv.exe procexp.exe\r\nsmartsniff.exe vmtoolsd.exe radare2.exe cheatengine.exe\r\nsnort.exe dotPeek.exe ghidra.exe ollyice.exe\r\npcap.exe procexp64.exe frida.exe pebrowsepro.exe\r\ncain.exe procexp64a.exe binaryninja.exe gdb.exe\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 8 of 16\n\nnmap.exe procexp.exe cutter.exe Wireshark.exe\r\nnessusd.exe regmon.exe hopper.exe ProcessHacker.exe\r\nPacketSled.exe procmon.exe jd-gui.exe SolarWinds.NetPerfMon.exe\r\nprtg.exe filemon.exe canvas.exe NetworkAnalyzerPro.exe\r\nThese are some RAT features that we found in this version:\r\nAuto-update feature allows newer versions of the malware to be deployed to the victim’s machine;\r\nSandbox/AV detection, still present in the main module, which includes more tools than previous versions;\r\nKeylogger feature;\r\nAbility to select country for listing victims;\r\nBanking security solutions detection;\r\nChecking geolocation information to ensure it runs in the target country;\r\nMonitoring Outlook emails for specific keywords;\r\nAbility to use Outlook to send spam emails.\r\nIn terms of static analysis protection, in 2024 versions, Grandoreiro has implemented enhanced encryption measures.\r\nDeparting from its previous reliance on commonly shared encryption algorithms found in other malware, Grandoreiro has\r\nnow adopted a multi-layered encryption approach. The decryption process in the newer versions is the following.\r\nInitially, the string undergoes deobfuscation through a simple replacement algorithm. Following this, Grandoreiro\r\nemploys the encryption algorithm based on XOR and conditional subtraction typically utilized by Brazilian malware;\r\nhowever, it differs from them by incorporating a lengthy, 140759-byte string instead of smaller magic strings we saw in\r\n2022 and 2023 samples. Subsequently, the decrypted string undergoes base64 decoding before being subjected to\r\ndecryption via the AES-256 algorithm. Notably, the AES key and IV are encrypted within Grandoreiro’s code. Upon\r\ncompletion of all these steps, the decrypted string is successfully recovered.\r\nGrandoreiro AES key and IV\r\nIn newer samples, Grandoreiro upgraded yet again the encryption algorithm using AES with CTS, or Ciphertext Stealing,\r\na specialized encryption mode used when the plaintext is not a multiple of the block size, which in this case is the 128-bit\r\n(16-byte) block size used by AES. Unlike more common padding schemes, such as PKCS#7, where the final block is\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 9 of 16\n\npadded with extra bytes to ensure it fits a full block, CTS operates without padding. Instead, it manipulates the final\r\npartial block of data by encrypting the last full block and XORing its output with the partial block. This allows encryption\r\nof any arbitrary-length input without adding extra padding bytes, preserving the original size of the data.\r\nECB Encryption Steps for CTS\r\nIn the case of Grandoreiro, the malware’s encryption routine does not add standard padding to incomplete blocks of data.\r\nTheir main goal is to complicate analysis: it takes time to figure out that CTS was used, and then more time to implement\r\ndecryption in this mode, which makes the extraction and obfuscation of strings more complicated. This marks the first\r\ntime this particular method has been observed in a malware sample.\r\nAs the threat actors continue to evolve their techniques, changing the encryption in every iteration of the malware, the use\r\nof CTS in malware may signal a shift toward more advanced encryption practices.\r\nLocal versions: old meets new\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 10 of 16\n\nIn a recent campaign, our analysis has revealed the existence of an older variant of the malware that utilizes legacy\r\nencryption keys, outdated algorithms, and a simplified structure, but which runs in parallel to the campaign using the new\r\ncode. This variant targets fewer banks — about 30 financial institutions, mainly from Mexico. This analysis clearly\r\nindicates that another developer, likely with access to older source code, is conducting new campaigns using the legacy\r\nversion of the malware.\r\nHow they steal your money\r\nOperators behind Grandoreiro are equipped with a wide variety of remote commands, including an option to lock the user\r\nscreen and present a custom image (overlay) to ask the victim for extra information. These are usually OTPs (one-time\r\npasswords), transaction passwords or tokens received by SMS, sent by financial institutions.\r\nA new tactic that we have discovered in the most recent versions found in July 2024 and later suggests that the malware is\r\ncapturing user input patterns, particularly mouse movements, to bypass machine learning-based security systems. Two\r\nspecific strings found in the malware — “GRAVAR_POR_5S_VELOCIDADE_MOUSE_CLIENTE_MEDIA” (“Record\r\nfor 5 seconds the client’s average mouse speed”) and “Medição iniciada, aguarde 5 segundos!” (“Measurement started,\r\nplease wait 5 seconds!”) — indicate that Grandoreiro is monitoring and recording the user’s mouse activity over a short\r\nperiod. This behavior appears to be an attempt to mimic legitimate user interactions in order to evade detection by anti-fraud systems and security solutions that rely on behavioral analytics. Modern cybersecurity tools, especially those\r\npowered by machine learning algorithms, analyze user’s behavior to distinguish between human users and bots or\r\nautomated malware scripts. By capturing and possibly replaying these natural mouse movement patterns, Grandoreiro\r\ncould trick these systems into identifying the activity as legitimate, thus bypassing certain security controls.\r\nThis discovery highlights the continuous evolution of malware like Grandoreiro, where attackers are increasingly\r\nincorporating tactics designed to counter modern security solutions that rely on behavioral biometrics and machine\r\nlearning.\r\nTo perform the cash-out in the victim’s account, Grandoreiro operators’ options are to transfer money to the account of\r\nlocal money mules, using transfer apps, buy cryptocurrency or gift cards, or even going to an ATM. Usually, they search\r\nfor money mules in Telegram channels, paying $200 to $500 USD per day:\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 11 of 16\n\nGrandoreiro operator looking for money mules\r\nInfrastructure\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 12 of 16\n\nThe newest Grandoreiro version uses 3 Domain Generation Algorithms (DGAs), generating valid domains for command\r\nand control (C2) communications. The algorithm uses the current daytime to select strings of predefined lists and\r\nconcatenates them with a magic key to create the final domain.\r\nBy dynamically generating unique domain names based on various input data, the algorithm complicates traditional\r\ndomain-based blocking strategies. This adaptability allows the malicious actors to maintain persistent command-and-control communications, even when specific domains are identified and blacklisted, requiring security solutions to base\r\ntheir protection not on a fixed list of domains, but on an algorithm for generating them.\r\nSince early 2022, Grandoreiro leverages a known Delphi component shared among different malware families named\r\nRealThinClient SDK to remotely access victim machines and perform fraudulent actions. This SDK is a flexible and\r\nmodular framework for building reliable and scalable Windows HTTP/HTTPS applications with Delphi. By using\r\nRealThinClient SDK, the program can handle thousands of active connections in an efficient multithreaded manner.\r\nGrandoreiro C2 Communication\r\nOperator tool\r\nGrandoreiro’s Operator is the tool that allows the cybercriminal to remotely access and control the victim’s machine. It’s\r\na Delphi-based software that lists its victims whenever they start browsing a targeted financial institution website.\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 13 of 16\n\nGrandoreiro’s Operator tool\r\nOnce the cybercriminal chooses a victim to operate on, they will be presented with the following screen, seen in the\r\nimage below, which allows many commands to be executed and visualizes the victim’s desktop.\r\nGrandoreiro’s Operator commands\r\nCloud VPS\r\nOne overlooked feature of the Grandoreiro malware is what is called “Cloud VPS” by the attackers — it allows\r\ncybercriminals to set up a gateway computer between the victim’s machine and the malware operator, thus hiding the\r\ncybercriminal’s real IP address.\r\nThis is also used by them to make investigation harder, as the first thing noted is the gateway’s IP address. When\r\nrequesting a seizure, an investigator just finds the gateway module. Meanwhile, the criminal has already set up a new\r\ngateway somewhere else and new victims connect to the new one through its DGA.\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 14 of 16\n\nGrandoreiro Cloud VPS\r\nVictims and targets\r\nThe Grandoreiro banking trojan is primed to steal the credentials accounts for 1,700 financial institutions, located in 45\r\ncountries and territories. After decrypting the strings of the malware, we can see the targeted banks listed separated by\r\ncountries/territories. This doesn’t mean that Grandoreiro will target a specific bank from the list; it means it is ready to\r\nsteal credentials and act, if there is a local partner or money mule who can operationalize and complete the action. The\r\nbanks targeted by Grandoreiro are located in Algeria, Angola, Antigua and Barbuda, Argentina, Australia, Bahamas,\r\nBarbados, Belgium, Belize, Brazil, Canada, Cayman Islands, Chile, Colombia, Costa Rica, Dominican Republic,\r\nEcuador, Ethiopia, France, Ghana, Haiti, Honduras, India, Ivory Coast, Kenya, Malta, Mexico, Mozambique, New\r\nZealand, Nigeria, Panama, Paraguay, Peru, Philippines, Poland, Portugal, South Africa, Spain, Switzerland, Tanzania,\r\nUganda, United Kingdom, Uruguay, USA, and Venezuela. It’s important to note that the list of targeted banks and\r\ninstitutions tend to slightly change from one version to another.\r\nFrom January to October 2024, our solutions blocked more than 150,000 infections impacting more than 30,000 users\r\nworldwide, a clear sign the group is still very active. According to our telemetry, the countries most affected by\r\nGrandoreiro infections are Mexico, Brazil, Spain, and Argentina, among many others.\r\nConclusion\r\nWe understand how difficult it is to eradicate a malware family, but it is possible to impede their operation with the\r\ncooperation of law enforcement agencies and the private sector — modern financial cybercrime can and must be fought.\r\nBrazilian banking trojans are already an international threat; they’re filling the gaps left by Eastern European gangs who\r\nhave migrated into ransomware. We know that in some countries, internet banking is declining on desktops, forcing\r\nGrandoreiro to target companies and government entities who are still using operating in that way.\r\nThe threat actors behind the Grandoreiro banking malware are continuously evolving their tactics and malware to\r\nsuccessfully carry out attacks against their targets and evade security solutions. Kaspersky continues to cooperate with\r\nINTERPOL and other agencies around the world to fight the Grandoreiro threat among internet banking users.\r\nThis threat is detected by Kaspersky products as HEUR:Trojan-Banker.Win32.Grandoreiro, Trojan-Downloader.OLE2.Grandoreiro, Trojan.PDF.Grandoreiro and Trojan-Downloader.Win32.Grandoreiro.\r\nFor more information, please contact: crimewareintel@kaspersky.com\r\nIndicators of Compromise\r\nHost based\r\nf0243296c6988a3bce24f95035ab4885\r\ndd2ea25752751c8fb44da2b23daf24a4\r\n555856076fad10b2c0c155161fb9384b\r\n49355fd0d152862e9c8e3ca3bbc55eb0\r\n43eec7f0fecf58c71a9446f56def0240\r\n150de04cb34fdc5fd131e342fe4df638\r\nb979d79be32d99824ee31a43deccdb18\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 15 of 16\n\nSource: https://securelist.com/grandoreiro-banking-trojan/114257/\r\nhttps://securelist.com/grandoreiro-banking-trojan/114257/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/grandoreiro-banking-trojan/114257/" ], "report_names": [ "114257" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434872, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a39e9309fa79d0edc33484e389eb45a374338486.pdf", "text": "https://archive.orkl.eu/a39e9309fa79d0edc33484e389eb45a374338486.txt", "img": "https://archive.orkl.eu/a39e9309fa79d0edc33484e389eb45a374338486.jpg" } }