Finance — Iberian retail-banking pressure from Grandoreiro plus a parallel Android MaaS

WatchGuard documented a Grandoreiro campaign abusing Delphi DLL side-loading across four different software packages, with WebSocket/STUN C2, against banks in Portugal and Spain; ESET mapped a parallel BTMOB Android RAT delivered as malware-as-a-service against the same Iberian banking customers via HTML injection and Accessibility Service abuse (2026-05-29). The pattern for EU financial-sector defenders is the desktop-plus-mobile pincer from LATAM-origin operators sustaining European targeting: DLL-side-loading detection on the endpoint and Accessibility-Service-abuse heuristics on managed mobile fleets address the two halves.