WatchGuard telemetry identified a campaign associated to Grandoreiro that uses the DLL Side-Loading technique abusing four different softwares, targeting banks in Portugal. Also, it was identified cases of a known campaign that uses a malicious VBS to deliver the malware, targeting companies in Spain, Portugal, Mexico and Latin America. 

Grandoreiro has been active since at least 2016 and is now one of the most widespread banking trojans globally. Despite the disruption of some operators and the joint operations with INTERPOL and local law enforcement resulting in the arrest of gang members in Spain, Brazil, and Argentina, that occurred in 2021 and 2024, they’re still active due to only part of the gang was arrested and the ones that was not arrested are continuing the operations.   

Campaign using SGC WebSockets in malicious DLLs 

This campaign uses the DLL Side-loading technique with the files libwebp.dll, mingw10.dll, libffi-6.dll and libpng15.dll. All of them were developed in Delphi 11 

Figure 1. Information of the analyzed artifact 

They all also have HTML, JS and CSS files on their resources associated with SGC Websockets WebRTC. WebRTC is a free, open-source WebSockets communication protocol that provides real-time communication (RTC) between web browsers and mobile applications via simple APIs.

Figure 2. Resource itens related to SGC WebSockets 

Delivery method 

Both cases have Phishing as the initial vector, which have a malicious link, that, in one of the cases, is using the domain uniaodownloadcnk[.]online, which was created at the end of February, according to the domain WHOIS, when the first cases of the campaign occurred. 

Domain Name: UNIAODOWNLOADCNK.ONLINE  

Registry Domain ID: D627172794-CNIC  

Registrar WHOIS Server: whois.namecheap.com  

Registrar URL: https://namecheap.com  

Updated Date: 2026-02-24T13:15:40.0Z  

Creation Date: 2026-02-24T13:15:36.0Z  

Registry Expiry Date: 2027-02-24T23:59:59.0Z  

Registrar: Namecheap  

Registrar IANA ID: 1068  

Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited 

Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited  

Name Server: DNS1.REGISTRAR-SERVERS.COM   

Name Server: DNS2.REGISTRAR-SERVERS.COM 

In other cases, the malicious link belongs to “vmi.contaboserver.net”, the virtual private servers (VPS) hosted by Contabo, a cloud hosting provider, which is being abused in these campaigns. 

These malicious links redirect to Dropbox, where a ZIP file containing the software and the malicious DLL is downloaded. 

Case 1 

The DLLs abused in this campaign with the technique DLL Side-Loading are the following: 

• Mingwm10.dll with MinGW (Minimalist GNU for Windows) compiler suite. 
• Libwebp.dll with FastStone Image Viewer. 

The DLLs associated to this case use the STUN (Session Traversal Utilities for NAT) protocol, which is a protocol that helps devices behind a NAT discover their public IP address and port number, enabling peer-to-peer communication. It is commonly used in applications like VoIP and video conferencing to facilitate direct connections between clients. It’s used by other protocols and one of them is WebRTC.

Figure 3. Object in the Resources making reference to the STUN Protocol 

During the execution, the resource is loaded and the function is called. 

Figure 4. The use of the object TsgcTURNServer during the execution 

The SGC WebSockets provide solutions for working cloud providers like Amazon AWS, Microsoft Azure or Google Cloud. In each DLL the service and cloud providers are different. 

In mingwn10.dll we can see the use of the library designed to interact with Google Cloud services, specifically Pub/Sub. In libwebp.dll we can see the use of Azure with MQTT protocol, which is used to communication with IoT devices.

Figure 5 – The use of Google Cloud in mingw10.dll (left) and Azure in libwebp.dll (right) 

The use of STUN by malware was already seen by Dyreza, another banking trojan, which used the protocol to determine the public IP address of the compromised computer, using icanhazip.com as a fallback in case the use of the protocol didn’t work. 

The advantage for threat actors to use web conferencing traffic in their campaigns is due to this traffic be noisy, being difficult to be monitored, and due to WebRTC be commonly used across all major web-conferencing platforms. 

Case 2 

The DLLs abused in this campaign with the technique DLL Side-Loading are the following: 

• Libffi-6.dll with FreeMat. 
• Libpng15.dll with AbiWord. 

The DLLs associated to this case use the ICE protocol, which, like STUN, is used for peer-to-peer and WebRTC communications. It uses the Binance API, which was released at the end of February, when the first cases of this campaign occurred, as mentioned earlier. It also uses Amazon with MQTT protocol. 

Figure 6 – The use of ICE protocol, Binance API and Amazon MQTT Client 

At the beginning of the execution, some anti-debugging techniques were used, like the division by zero and the use of the instruction UD2 (0F 0B), which is used as anti-debugging because the debugger may handle this exception differently than a normal execution environment. 

Figure 7 – The use of anti-debugging techniques 

It was found in the code some strings written in Chinese and a call to start a browse in Kiosk Mode, which is a feature that allows a device to run in a single-window, fullscreen mode, restricting user access to other applications and settings. 

 

Figure 8 – Reference in the code to strings in Chinese and to the launch of browser in Kiosk mode. 

The code also has some references to banks that operates in Portugal and to services that operates financial operations. 

Figure 9 – Reference in the code to banks that operate in Portugal 

The banks that operate in Portugal mentioned in the code are the following. 

Abanca  Activo bank  Banco CTT  Banco de Portugal  Banco Portugues de Fomento  BBVA PT  Best

Bison  BNI  BPI  CA  Caixa Geral Depositos  Carregosa  Eurobic

Finantia  Inter  Itau BBVA  Millenium  Montepio  N26  Novobanco  Santander

And the services that operate financial transactions are the following. 

• Revolut 
• Wise 

Campaign with malicious VBS 

Another campaign was observed, which is similar to the one already documented by Forcepoint, where the legitimate hosting services provider Contabo hosts a geofenced fake web page that has a link to a malicious file hosted in Mediafire. 

The malicious file is a highly obfuscated VBS that drops the malware. 

Figure 10 – Executable file created by the malicious obfuscated VBS script 

The executable is written in Delphi 12. 

Figure 11 – Information of the file created by the VBS script 

When executed, it displays a fake message asking to update Adobe Reader. 

Figure 12 – Fake message asking to update Adobe Reader to execute the malware 

After the button is pressed, it verifies the location of the infected machine making a request to hxxp://ip-api[.]com/json.  

After that, many checks are made by the malware. The following checks that were observed are similar to the ones performed by the malware in previous campaigns, from 2022 to 2024. The types of checks are the same but with some differences. 

Similar to the 2022 and 2023 campaigns, it checks if the computer name is one of the following: 

• WIN-VUA6POUV5UP; 
• Win-StephyPC3; 
• difusor; 
• DESTOP2457; 
• JOHN-PC 
• WORK 
• DESKTOP-XXXXXXXX 

The last one on the list above was not seen in previous campaigns. 

The code has a list of detection of tools commonly used by security analysts, which include the Sysinternals tools (regmon.exe, procmon.exe, ...), Reversing/Debugging tools (ollydbg.exe, ida.exe, x64dbg.exe, ...), network analysis tools (Wireshark.exe, NetworkMiner.exe, ...), and many others. 

It also checks the directory in which it is being executed. The check is made in the drives A:\, B:\, C:\ and D:\ and, in each one, it’s verified if the execution paths are one of the following: 

• <Drive>\\TOOLS\\ProcessInvestigator\\ 
• <Drive>\\programming 
• <Drive>\\script 

Other checks are also made, like if it’s being running in a virtual environment by checking if the registry has some key attributed to VMWare. Another one is the use of WbemScripting.SWbemLocator to make a connection to WMI using VBS. This connection is used to get the list of antivirus products installed on the machine. 

Figure 13 – The use of WMI in VBS to check the anti-virus products installed on the machine 

The malware also checks if some of the softwares are installed on the machine: 

• Google Chrome 
• FileZilla Client 
• CCleaner 
• Firefox 
• Acrobat Reader DC 
• Microsoft Edge 
• Skype 

Diamond Model 

 

Adversary	Grandoreiro, a financially motivated cybercrime group.
Capability	Malware development (banking Trojan features, loader/stager), phishing/campaign infrastructure, obfuscation/packing, C2 management.  Credential theft (browser, form grabbers), keylogging, clipboard monitoring, banking overlay windows, command execution, exfiltration routines, persistence, anti-VM/sandbox checks, code injection.
Infrastructure	Delivery channels:  <random-name>.byethost<num>.com  uniaodownloadcnk[.]online  vmi<7-digit-number>[.]contaboserver[.]net*  dropbox[.]com / dropboxusercontent[.]com*  mediafire[.]com*    C2 Servers:  162[.]33[.]177[.]150    *Legit domains being abused
Victim	Banking customers, financial services customers, small-to-medium businesses, Spanish/Portuguese/Latin America users

Beyond the Malware 

The bigger story here is not just that Grandoreiro is still active. It is that financially motivated threat groups continue to adapt quickly, reuse legitimate services, and hide inside traffic patterns that many organizations may already trust. By combining phishing, DLL side-loading, WebRTC-related components, cloud service abuse, and anti-analysis checks, these campaigns show how banking malware is becoming harder to spot with surface-level defenses alone. 

For organizations across Europe and Latin America, the message is hard to ignore. Prevention cannot stop at email security or endpoint tools in isolation. Defenders need layered visibility, behavioral detection, and continuous monitoring that can connect suspicious activity across users, devices, infrastructure, and cloud services before a banking trojan becomes a business-impacting incident.