ctipilot.ch

Grandoreiro 2026 Iberian campaign — Delphi DLL side-loading, WebSocket/STUN C2; parallel ESET BTMOB Android RAT MaaS

campaign · item:grandoreiro-2026-iberian-watchguard-eu-banks-btmob-maas

Coverage timeline
1
first 2026-05-29 → last 2026-05-29
Briefs
1
1 distinct
Sources cited
8
7 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-29CTI Daily Brief — 2026-05-29
    researchFirst coverage. WatchGuard telemetry: Grandoreiro DLL side-loading via 4 abused signed binaries; sgcWebSockets + STUN/ICE NAT traversal C2 blends with web-conferencing. Targets Abanca, Banco de Portugal, BBVA PT, CGD, Santander, Revolut, Wise. Parallel ESET BTMOB Android RAT MaaS ($5K lifetime) with geo-filtered overlay activation; Italian/French overlays in configs imply westward expansion.

Where this entity is cited

  • research1

Source distribution

  • thehackernews.com2 (25%)
  • watchguard.com1 (12%)
  • welivesecurity.com1 (12%)
  • helpnetsecurity.com1 (12%)
  • msrc.microsoft.com1 (12%)
  • noscope.com1 (12%)
  • security-hub.ncsc.admin.ch1 (12%)

All cited sources (8)

Items in briefs about Grandoreiro 2026 Iberian campaign — Delphi DLL side-loading, WebSocket/STUN C2; parallel ESET BTMOB Android RAT MaaS (1)

WatchGuard documents Grandoreiro's Delphi-DLL-side-loading + WebSocket/STUN C2 against Portuguese & Spanish banks; ESET maps parallel Android BTMOB MaaS

From CTI Daily Brief — 2026-05-29 · published 2026-05-29 · view item permalink →

WatchGuard's Secplicity team published telemetry on 2026-05-26 covering a sustained 2026 Grandoreiro banking-trojan campaign against banks in Portugal and Spain (and across Latin America). The campaign deploys Delphi-11-compiled DLLs through DLL side-loading against four abused legitimate signed binaries; the Grandoreiro core has been re-tooled to use the sgcWebSockets library for command-and-control, with STUN and ICE protocols enabling NAT traversal — C2 traffic visually blends with web-conferencing data and bypasses standard protocol-inspection rules. WatchGuard names Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, Revolut and Wise as targeted institutions. A parallel Latin American mobile-banking strand: ESET WeLiveSecurity documents BTMOB, an Android RAT (evolved from SpySolr) sold malware-as-a-service, documented by ESET as targeting users in Brazil and Argentina. BTMOB requests Accessibility Service permissions and uses them for full device takeover — HTML-injected overlay phishing, keylogging and on-demand screen recording. The Hacker News provides a combined writeup with the WatchGuard / ESET coverage.