Hola Espana: Grandoreiro Trojan Targets Global Banking Customers

Brasileiro cybercrime has been on the rise. Now, one campaign targeting bank customers has reached beyond the Americas, into Europe.

The Brazilian banking malware known as Grandoreiro has crossed the pond, with a new campaign from TA2725 targeting customers in Spain, as well as Brazil and Mexico.
Dark Web activity in Latin America has surged in the last two years, and its largely concentrated in two countries.
According to SOCRadar
, 360 billion attempted cyberattacks peppered the region in 2022, with 187 billion and 103 billion
affecting Mexico and Brazil
, respectively.
Now theres increasing evidence that Latin American cybercrime is extending outwards.
Proofpoint has tracked TA2725 since March 2022. Its been known to hide bank account and credit card-sniffing malware inside of phishing emails, primarily directed to organizations either in its home country or Mexico.
And according to a new blog post
by Jared Peck, senior threat researcher at Proofpoint, the group has recently upgraded its signature malware to include institutions on both sides of the Atlantic.
Grandoreiro attacks begin with a malicious URL in a phishing email. Lures may come in the form of a fake shared document, utility bill, tax form, etc. The URL leads to a ZIP file containing a loader which, when run, downloads a legitimate but vulnerable application. The application is exploited with some DLL sideloading, and then comes the final payload.
Grandoreiro can harvest data via a keylogger, screen grabber, or an old-fashioned overlay on top of an online banking login page. These overlays mimic popular Brazilian and Mexican banks plus, in two campaigns observed late in August, banks located in Spain. (TA2725s phishing lures were also diversified, to mimic Spain-based organizations.)
This isnt the first time Brazilian Trojans have spanned the Atlantic. Earlier this year, for example, threat actors pulled a reverse Pedro Cabal, subjugating Portuguese bank customers in
a campaign called Operation Magalenha.
This latest activity only furthers an emerging trend — that Brazilian malware is no longer contained to one continent.
Where once they seemed solely the domain of the northern hemisphere,
banking trojans have thrived in Brazil
in recent years. According to Peck, there are a few reasons why.
The general population in many parts of the world, like Brazil and other parts of South America and Latin America, may not have been afforded the same access to cybersecurity education and protection technology as other parts of the world, but continue to grow their online presence. This situation leads to a lack of user awareness around phishing and malware threats, which, in turn, leads to a higher number of victims who click and are affected, he explains, adding that this general population is upwardly mobile, leading to a larger middle class, so there is more opportunity to victimize a larger pool of a population.
According to Proofpoint, the most common malware families — including Grandoreiro but also, Casabeniero, Javali, and Mekotio — possess a shared lineage: a Delphi-based ancestor from which source code components have been passed down and modified through generations.
Organizations in affected countries can look out for suspicious programs with these same elements. Or, as Peck emphasizes, they can focus on the human side of such compromises.
Todays cyber threats rely on human interaction, not just technical exploits, so it is essential that organizations incorporate localized user security awareness training on identifying malicious phishing and threat actor tactics, techniques, and procedures while also empowering users to feel comfortable reporting their suspicions even after they may have fallen victim to an attack, he advises.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Hola Espana: Grandoreiro Trojan Targets Global Banking Customers