{
	"id": "e81a9e6c-d7bd-42fd-8233-6f24c442125b",
	"created_at": "2026-04-06T00:21:42.321946Z",
	"updated_at": "2026-04-10T03:20:27.096036Z",
	"deleted_at": null,
	"sha1_hash": "f011de685ba2fa504be7711260c9cac6c17004e0",
	"title": "Grandoreiro Malware: Spear Phishing, Outlook Exploits, and More",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46973,
	"plain_text": "Grandoreiro Malware: Spear Phishing, Outlook Exploits, and\r\nMore\r\nBy Flashpoint Intel Team\r\nPublished: 2024-08-01 · Archived: 2026-04-05 14:42:29 UTC\r\nGrandoreiro, a banking trojan that once preyed on Latin American financial institutions, has reemerged.\r\nPreviously thought to have been shut down in a joint operation spearheaded by the Federal Police of Brazil,\r\nFlashpoint analysts have observed new reports of the malware targeting victims in North America, Europe, Asia,\r\nand Africa. Now that this once-regional threat has gone global, it is essential that organizations understand how\r\nthe trojan works and learn how to protect against it.\r\nUnderstanding How Grandoreiro Works\r\nThe focus of Grandoreiro is to steal financial information, steal credentials, and make unauthorized money\r\ntransfers. Grandoreiro is primarily disseminated through spear phishing, using malicious links or email\r\nattachments for initial infection. However, after this, the malware uses a unique module that enables it to spread\r\neven further by utilizing local installations of Microsoft Outlook.\r\nThis is accomplished by leveraging email templates sent to Outlook by the command and control (C2) server. The\r\nmalware then uses a legitimate component to access the local Outlook namespace. It then systematically scans\r\nthrough the victim’s inbox and filters out unwanted email addresses. These harvested emails are then sent the\r\nemail template acquired from the C2 server.\r\nNext, Grandoreiro distributes phishing emails that contain links to ZIP archives or MSI installer files\r\nmasquerading as PDF documents. These files harbor the Grandoreiro loader which is primed to infect additional\r\nsystems and perpetuate the malware’s distribution.\r\nThe Grandoreiro Loader\r\nThe custom loader is written in Borland Delphi. To avoid antivirus scanning, the Grandorero loader is bloated to\r\nover 100 MB. When the custom loader executes, it requires user interaction in the form of a fake Adobe Acrobat\r\ncaptcha to prevent execution in sandbox environments.\r\nAfter this, additional anti-analysis checks will occur. The malware uses standard process enumeration APIs and\r\nsearches for an extensive list of analysis tools and other sandbox indicators.\r\nExample of a sandbox environment check code block for Grandoreiro malware\r\nIf the target machine passes the anti-analysis check, the malware then acquires basic information about the victim.\r\nThis includes the target’s public IP address and location. Afterwards, it then collects machine information such as\r\nhttps://flashpoint.io/blog/grandoreiro-malware-exploits/\r\nPage 1 of 3\n\nthe username, computer name, OS version, installed antivirus, if Outlook is installed, the number of\r\ncryptocurrency wallets installed, the number of specialty banking software, and other information. All of this is\r\npackaged into a single string and sent to the C2 server.\r\nThe C2 is hard coded as an encrypted string within the loader. Once the beacon packet is sent, the C2 responds\r\nwith a location to download the next stage payload and the size of the payload. This payload is RC4 decrypted and\r\nexecuted.\r\nGrandoreiro Malware string decryption | Flashpoint\r\nFlowchart for Grandoreiro’s string decryption within the loader\r\nThe Grandoreiro Stealer\r\nLike the loader, the main payload is also written in Borland Delphi and is bloated to over 100 MB. It begins by\r\nlooking for the presence of a .cfg file in both the local directory and in the C:Publicdirectory. This config file\r\ncontains information on which functions are enabled. If this .cfg file is not present, Grandoreiro will create one.\r\nAdditionally, it creates an XML file that contains the executable’s location and the infection date. Both files’\r\ncontents are encrypted using Grandoreiro’s custom string encryption algorithm.\r\nAdditional Malware Capabilities\r\nGrandoreiro primarily targets financial data, login credentials, and facilitates illicit monetary transactions.\r\nHowever, this strain of malware requires threat actor interaction and does not perform independent actions like\r\nother infostealers or banking trojans. Using Grandoreiro, threat actors can perform additional actions such as:\r\n1. Disabling mouse inputs and blocking the screen for the infected target.\r\n2. Establishing remote control to steal money without disruption.\r\n3. Creating fake login screens or leveraging keylogging features to steal credentials.\r\n4. Downloading and executing additional malware.\r\nHow to Defend against It\r\nGrandoreiro malware is written to target both financial institutions and individuals. Therefore, it is essential that\r\nreaders take the proper precautions to repel or mitigate targeting attempts. Here are some ways you can protect\r\nyourself:\r\nRely on a comprehensive source of threat intelligence: Threat actors are constantly improving their\r\ntactics and tools. Having access to detailed threat intelligence will help security teams stay informed on the\r\nlatest malware changes and trends.\r\nHeightened email vigilance: Exercise extreme caution when handling unsolicited emails, especially those\r\ncontaining links or attachments. Scrutinize the sender’s address and verify the legitimacy of any links.\r\nKeep antivirus and security software up-to-date: Ensure that all security tools are maintained and\r\nconfigured to perform regular scans.\r\nhttps://flashpoint.io/blog/grandoreiro-malware-exploits/\r\nPage 2 of 3\n\nUser education: Organizations should schedule regular and comprehensive security awareness training to\r\neducate employees about the risks of spear phishing and the importance of adhering to security best\r\npractices.\r\nImplement multi-factor authentication (MFA): Use MFA for critical systems and accounts to add an\r\nextra layer of security. This will make it more difficult for attackers to gain unauthorized access even if\r\nthey steal user credentials.\r\nProtect against Emerging Threats Using Flashpoint\r\nThe resurgence of Grandoreiro underscores the dynamic and ever-evolving landscape of cybercrime. Threat actors\r\nwill continually adapt, refine their tactics, and expand their reach. While Grandoreiro presents a formidable\r\nchallenge for organizations, understanding its distribution vectors, evasion techniques, and capabilities empowers\r\nsecurity teams to protect themselves.\r\nSign up for a demo and see how Flashpoint helps customers stay ahead of emerging threats. Customers can find a\r\nmore in-depth analysis in the Flashpoint Ignite platform.\r\nSource: https://flashpoint.io/blog/grandoreiro-malware-exploits/\r\nhttps://flashpoint.io/blog/grandoreiro-malware-exploits/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://flashpoint.io/blog/grandoreiro-malware-exploits/"
	],
	"report_names": [
		"grandoreiro-malware-exploits"
	],
	"threat_actors": [],
	"ts_created_at": 1775434902,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f011de685ba2fa504be7711260c9cac6c17004e0.pdf",
		"text": "https://archive.orkl.eu/f011de685ba2fa504be7711260c9cac6c17004e0.txt",
		"img": "https://archive.orkl.eu/f011de685ba2fa504be7711260c9cac6c17004e0.jpg"
	}
}