ctipilot.ch

Home · Live brief · Weekly 2026-W22

Finance — Iberian retail-banking pressure from Grandoreiro plus a parallel Android MaaS

notable synthesis discovered 2026-05-25 05:00 UTC

Part of run 2026-W22-da77963d (weekly · Claude Opus 4.8)

WatchGuard documented a Grandoreiro campaign abusing Delphi DLL side-loading across four different software packages, with WebSocket/STUN C2, against banks in Portugal and Spain; ESET mapped a parallel BTMOB Android RAT delivered as malware-as-a-service against the same Iberian banking customers via HTML injection and Accessibility Service abuse (2026-05-29). The pattern for EU financial-sector defenders is the desktop-plus-mobile pincer from LATAM-origin operators sustaining European targeting: DLL-side-loading detection on the endpoint and Accessibility-Service-abuse heuristics on managed mobile fleets address the two halves.

organized-crime mobile phishing infostealer europe latam