The Grandoreiro banking trojan has reemerged in new phishing campaigns targeting users in Latin America and Europe, according to recent reports from Forcepoint X-Labs and IBM X-Force1. First observed in 2016, the malware has evolved into a modular threat capable of credential theft, cryptocurrency wallet hijacking, and evasion techniques. This resurgence follows law enforcement disruptions in 2024, demonstrating the operational resilience of its operators2.
TL;DR: Key Findings
- Active since 2016, now targeting 60+ countries including Brazil, Mexico, Spain, and Portugal
- Uses tax-themed phishing lures with malicious links to Contabo/OVHcloud hosting
- Payloads delivered via obfuscated VBS scripts and Delphi executables
- Operates as malware-as-a-service (MaaS) with rotating C2 infrastructure
- Targets 1,700+ banks and 276 cryptocurrency wallets
Technical Analysis of Recent Campaigns
The 2025 campaigns employ tax-themed lures impersonating government agencies in Argentina, Mexico, and Spain. Attackers distribute malicious links via email, redirecting to compromised Contabo and OVHcloud servers3. The final payload is typically hosted on Mediafire, using a multi-stage deployment:
- Initial VBS script with environmental checks
- Delphi-based loader with anti-analysis techniques
- Modular banking trojan components
Command-and-control infrastructure uses dynamically generated subdomains (e.g., contaboserver[.]net) with TLS encryption. Recent samples show improved evasion capabilities, including:
| Technique | Implementation |
|---|---|
| Process Injection | Explorer.exe memory space hijacking |
| Network Evasion | DNS-over-HTTPS for C2 communication |
| Persistence | Registry key modification (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) |
Historical Context and Evolution
Originally part of the Tetrade malware family, Grandoreiro was primarily a Brazilian threat until 2020 when it expanded to Mexico, Portugal, and Spain4. Despite Interpol-led takedowns in 2024 that arrested key operators, the malware resurfaced within months with improved capabilities:
“Grandoreiro’s 2025 version shows significant code restructuring, suggesting new developer involvement. The malware now incorporates techniques previously seen in Dridex and QakBot campaigns.” – IBM X-Force report
The shift to a MaaS model has enabled rapid adaptation, with observed attack volumes increasing 300% year-over-year in Q1 20251.
Detection and Mitigation Strategies
Organizations should monitor for these indicators:
- Network traffic to Contabo/OVHcloud IP ranges (185.143.223.0/24, 146.255.56.0/21)
- VBS scripts with obfuscated strings containing “Grandoreiro” or “Tetrade”
- Delphi executables with anomalous import tables (missing common DLLs)
Recommended defensive measures include:
- Implement application allowlisting for VBS and PowerShell execution
- Deploy EDR solutions with behavioral detection for process hollowing
- Block known malicious TLDs at network perimeter
- User training on tax-themed phishing lures
Conclusion
Grandoreiro’s resurgence demonstrates the challenges of disrupting financially motivated malware operations. Its modular design and regional targeting make it particularly dangerous for financial institutions in Latin America. Organizations should prioritize monitoring for the described TTPs and update detection rules accordingly.
References
- “Fresh Grandoreiro Banking Trojan Campaigns Target Latin America, Europe”, SecurityWeek, 2025.
- “Disrupting a Grandoreiro malware operation”, INTERPOL, 2024.
- “The Grandoreiro banking trojan has been revived”, Forcepoint LinkedIn, 2025.
- “Grandoreiro Banking Trojan Unleashed”, IBM X-Force, 2025.
