Mimecast Logo
Richiedi un preventivo

    Grandoreiro Infostealer Campaign

    4 August 2025

    By Samantha Clarke and Mimecast Threat Research Team

    Key Points
    • The Grandoreiro banking trojan targets financial institutions and users across Latin America and is expanding globally.
    • Sophisticated phishing campaigns impersonate government tax agencies and law enforcement.
    • Geofenced infrastructure ensures targeted delivery to specific regions. Multi-stage attacks leverage JavaScript functions and ZIP file downloads.
    • Comprehensive data exfiltration capabilities include banking credentials and cryptocurrency wallet information.

    Campaign Overview

    Samantha Clarke and the Mimecast Threat Research team have identified active Grandoreiro banking trojan campaigns representing a significant threat to financial institutions and individual users (tracked internally as MCTO1022). Grandoreiro is a well-known Brazilian banking trojan that has been active since 2016 and enables threat actors to perform fraudulent banking transactions. This sophisticated malware has evolved into a global threat, with recent campaigns expanding beyond its traditional Latin American focus to target users in Europe and Africa.

    The threat actors behind Grandoreiro are tracked internally as MCTO1023. These actors employ sophisticated phishing campaigns that impersonate legitimate government entities, particularly tax agencies and law enforcement bodies. They use this approach to trick users into downloading malicious files. This social engineering approach leverages the inherent trust users place in official government communications to achieve high success rates in credential harvesting and malware deployment.

    Campaign Themes and Targeting

    Recent Grandoreiro campaigns have demonstrated sophisticated understanding of regional government structures and user behavior patterns. The threat actors deploy region-specific social engineering tactics that align with local administrative processes and official communication channels, similar to techniques observed in other Latin American banking trojans.

    Primary Target Regions:

    • Latin America: Brazil, Mexico, Argentina, Spain (primary focus)
    • Expanding Operations: Parts of Europe and Africa

    Impersonated Entities:

    • Administración Federal de Ingresos Públicos (AFIP) - Argentina
    • Agencia de Recaudación y Control Aduanero (ARCA) - Argentina
    • Secretaría de Hacienda y Crédito Público (SHCP) - Mexico
    • Dirección General de la Policía - Spain
    • Revenue service agencies - Argentina
    • Department of Finance - Mexico
    • Police citation notifications – Spain

    Examples have been captured which impersonate the Administración Federal de Ingresos Públicos.

    ARCA.png

    And the Secretaría de Hacienda y Crédito Público.

    Hacienda.png

    Technical Infrastructure and Attack Flow

    The Grandoreiro campaign employs sophisticated geofencing techniques to ensure malicious content is only delivered to users in targeted countries. The infrastructure utilizes subdomains of contaboserver.net that are specifically configured to deny access to users outside the intended geographic regions, maximizing infection rates while minimizing exposure to security researchers. This multi-layered approach ensures that the malware is only delivered to intended victims while evading automated security scanning systems.

    The attack flow incorporates JavaScript functions that perform browser verification before delivering the next stage of the attack through a hosted PDF file, typically involving the download of a malicious ZIP file.

    PDF.png

    The payload will then execute an .EXE file which connects back to a C2 IP address hosted on AWS. Supporting elements to the main malicious webpage were observed during our investigation.

    Index.png

    During our investigation process, the mailer panel used to send the phishing emails to their victims was discovered.

    sendmail.png

    For non-Windows devices, redirection mechanisms are in place that prevent payload delivery, demonstrating the focus on Windows-based environments where the malware can achieve maximum effectiveness. For non-windows based devices the message states ‘This content is available exclusively for devices that operate on the Windows system, such as laptops and computers.’.

    windows.png

    Intelligence gathered from exposed infrastructure reveals the scope of the threat operation. Analysis of compromised VPS systems has uncovered spam testing infrastructure containing email addresses across multiple Latin American countries including Argentina, Mexico, Brazil, Peru, Spain, Chile, Bolivia, Ecuador, Paraguay, Uruguay, and Venezuela. This suggests coordinated operations across the region with potential for continued expansion. The threat operations maintain sophisticated operational security practices while demonstrating clear intent to expand their targeting beyond traditional Latin American boundaries.

    Data Exfiltration Capabilities

    Grandoreiro demonstrates comprehensive data harvesting capabilities that extend beyond traditional banking credentials to include:

  • Banking Credentials: Usernames and passwords for online banking accounts
  • Personal Identification Information: Names, addresses, and Social Security numbers
  • Financial Information: Credit card numbers, bank account details, and transaction histories
  • Email Credentials: Login information for email accounts enabling further phishing attacks
  • Files and Documents: Sensitive files including financial documents and personal records
  • Cryptocurrency Wallet Information: Private keys and wallet addresses for digital currency theft

    • Mimecast Protection

    Mimecast has implemented comprehensive detection capabilities to identify and block emails associated with Grandoreiro campaigns. Our threat research team continues to monitor for changes in tactics and techniques used by these threat actors to ensure our customers remain protected against evolving attack vectors.

    Targets:

    Predominantly financial institutions and individual users across Latin America, with expanding operations targeting similar demographics in Europe and Africa.

    Indicators of Compromise (IOCs)

    Malicious Infrastructure:

    • vmi2664683[.]contaboserver[.]net
    • vmi2670907[.]contaboserver[.]net
    • vmi2664683[.]contaboserver[.]net

    File Hashes:

    • ZIP file: d2b051084d2401c3d826606db8689bba7485061cc1102690d529edb25ddf48fc
    • VBS file: 6f7eb90f33d87a5765a29f696e33ec7958f272225add6e4a1dc7994cd32f63f3

    Common Lures:

    • Tax agency correspondence
    • Government compliance notifications
    • Law enforcement citations
    • Revenue service communications

    Recommendations

    User Security Awareness Training:

    • Educate users about government agency impersonation tactics
    • Conduct regular phishing simulations incorporating tax agency and law enforcement themes
    • Train users to verify government communications through official channels before taking action.

    Network Security:

    • Monitor for connections to contaboserver.net subdomains
    • Implement geographic access controls where appropriate

    Proactive Threat Hunting:

    • Search email receipt logs for matching lures
    • Monitor for JavaScript-based redirection patterns consistent with Grandoreiro campaigns
    • Investigate unusual ZIP file downloads from external infrastructure
    Back to Top