WatchGuard and ESET just exposed Grandoreiro malware targeting Spanish and Portuguese companies in May 2026

Two security firms have uncovered active malware campaigns targeting millions of Windows and Android users across Spain, Portugal, Mexico, and Brazil—with attackers using banking trojans designed to harvest credentials and financial data from corporate and individual devices.

WatchGuard and ESET disclosed the campaigns this week, identifying two distinct malware families at work: Grandoreiro, which targets Windows systems, and BTMOB, a remote access trojan (RAT) deployed against Android devices. The campaigns appear coordinated in scope and timing, with companies in Spain and Portugal bearing the brunt of the Windows-focused attacks, while mobile users in Brazil and Mexico face the Android variant.

Grandoreiro operates as a banking trojan—malware specifically engineered to intercept login credentials, steal financial information, and inject fraudulent transactions into legitimate banking sessions. The malware’s distribution across Spain and Portugal represents a significant shift in attacker focus toward Iberian markets, regions that have historically seen lower volumes of such targeted campaigns compared to North America or Asia-Pacific.

BTMOB, the Android-focused counterpart, functions as a remote access trojan, meaning it grants attackers direct control over infected mobile devices. Research published in IEEE Xplore documents how banking trojans targeting Android systems have evolved to capture screen content, intercept SMS messages, and access stored credentials—making them particularly dangerous for users who conduct banking or corporate work on their phones.

Why Are Attackers Targeting Multiple Platforms Simultaneously?

The discovery underscores a troubling pattern in modern cybercrime: attackers are no longer limiting themselves to a single platform or device type. By deploying complementary malware families across Windows and Android ecosystems, threat actors maximize their chances of compromising targets regardless of which devices those targets use. A company executive might defend their Windows workstation with updated antivirus software, only to have their Android phone—often running older security patches—become the weak link in their digital perimeter.

How Do Banking Trojans Create Surveillance Profiles?

What makes this campaign particularly relevant to privacy advocates is the behavioral data collection inherent in banking trojans. These aren’t blunt-force attacks that simply lock files or demand ransom. Grandoreiro and BTMOB are designed to observe, record, and exfiltrate patterns of user behavior: which websites you visit, which apps you open, when you log into your bank, what amounts you transfer, and whom you communicate with. In effect, they function as persistent surveillance tools that harvest the granular behavioral profiles that have become the currency of modern digital exploitation.

This mirrors a structural pattern established during the Cambridge Analytica scandal, where harvested behavioral data—in that case, psychological profiles derived from Facebook users’ digital footprints—was weaponized for manipulation and influence. The difference here is directness: rather than using behavioral data to target political messaging, banking trojans use it to directly steal money and credentials. But the underlying mechanism is identical: collect detailed behavioral intelligence, then exploit it. Cambridge Analytica obtained its data through app permissions and platform access; Grandoreiro and BTMOB obtain theirs through malware infection. The outcome—a complete map of a user’s digital and financial behavior—is the same.

What Attack Methods Are Being Used?

WatchGuard and ESET have not disclosed the specific attack vectors through which Grandoreiro and BTMOB are being distributed, though analysis published in ACM Digital Library shows banking trojans typically spread via phishing emails, malicious downloads, or compromised websites. The firms also have not released information about the number of confirmed infections or the financial losses attributed to the campaigns so far.

For users and organizations in the affected regions, the immediate recommendation is to ensure all devices—both Windows computers and Android phones—are running the latest security patches and antivirus definitions. Banking trojans often exploit known vulnerabilities that patches have already addressed; staying current significantly reduces infection risk. Users should also avoid clicking links or downloading attachments from unsolicited emails, particularly those claiming to be from banks or financial institutions.

How Sophisticated Are Modern Banking Trojans?

The discovery comes as banking trojans continue to evolve in sophistication, with researchers observing increasing use of anti-analysis techniques and code obfuscation designed to evade detection by security software. The fact that two major security firms felt compelled to issue coordinated warnings suggests the campaigns have reached a scale or intensity that warrants public attention.

This evolution reflects broader trends in cybercrime where attackers increasingly mirror the data collection and behavioral analysis techniques pioneered by legitimate technology companies. Just as experts warn about modern data harvesting, banking trojans represent the criminal application of the same surveillance capitalism principles—comprehensive behavioral monitoring for exploitation.

WatchGuard and ESET have not announced a specific date for publishing detailed technical analysis, though both firms typically release comprehensive threat reports within days of major discoveries. Organizations in Spain, Portugal, Mexico, and Brazil should monitor their advisories closely for indicators of compromise and remediation steps.