Financially Motivated Cyber Groups Target Banking Users Across Europe and Latin America
AI-generated from multiple sources. Verify before acting on this reporting.
LISBON — Financially motivated cyber threat groups launched coordinated malware campaigns targeting Windows and Android users across Europe and Latin America, aiming to steal banking credentials and sensitive personal data. The attacks, identified as the Grandoreiro and BTMOB malware operations, have affected users in Spain, Portugal, Mexico, and Brazil.
Security researchers detected the activity on May 27, 2026. The campaigns utilized sophisticated social engineering tactics to distribute the malicious software, which is designed to intercept authentication tokens and login information from major financial institutions. Once installed, the malware operates silently in the background, capturing keystrokes and screen data to facilitate unauthorized account access.
The Grandoreiro campaign primarily targeted Android devices, exploiting vulnerabilities in popular messaging applications and fake update notifications. Victims received links disguised as legitimate security alerts or banking service updates. Upon clicking, users were directed to download applications containing the malware, which then requested extensive permissions to access device data.
Simultaneously, the BTMOB campaign focused on Windows systems in the same regions. This operation leveraged compromised websites and malicious email attachments to deliver the payload. The malware installed on Windows machines is capable of bypassing two-factor authentication mechanisms by intercepting one-time passwords sent via SMS or email.
Cybersecurity experts warn that the geographic scope of the attacks indicates a deliberate strategy to target regions with high mobile banking adoption. The groups behind the campaigns are believed to be operating with the intent of selling stolen credentials on dark web marketplaces or directly draining victim accounts.
Financial institutions in the affected countries have issued alerts to customers, urging them to verify the authenticity of communications before clicking links or downloading attachments. Banks in Spain and Brazil have temporarily suspended certain online services to investigate potential breaches and reset compromised credentials.
The sophistication of the malware suggests the involvement of organized criminal networks with significant technical resources. Analysts note that the dual-platform approach increases the likelihood of successful infiltration, as users often access banking services across multiple devices.
Authorities in Portugal and Mexico have launched investigations into the source of the attacks, though no arrests have been made. The groups responsible have not claimed responsibility for the campaigns. Questions remain regarding the full extent of the data compromised and whether the malware has been deployed in other regions.
As of late May 2026, the campaigns remain active. Security firms continue to monitor for new variants of the malware and are working with internet service providers to block malicious domains associated with the distribution networks. Users are advised to update their operating systems and install reputable security software to mitigate the risk of infection.