A new spear phishing email campaign, designed to deliver the Grandoreiro banking trojan, has been spotted targeting organizations in Spain and Mexico.
Several novel features have been added to the Grandoreiro malware variant including evasion, anti-analysis, and a revamped C2 system.

Impersonation and targeting

  • The infection chain begins with an email pretending to originate from the Attorney General's Office of Mexico City or the Spanish Public Ministry, depending on the target.
  • The targets include automotive, civil and industrial construction, logistics, and machinery sectors in Mexico and chemicals manufacturing industries in Spain.

Modus operandi

  • Spear phishing emails are utilized by threat actors to lure victims to download and execute Grandoreiro malware.
  • Lures such as payment refunds, litigation notifications, cancellation of mortgage loans, and deposit vouchers feature prominently in spear phishing attack messages.
  • The email contains a link that tricks the potential victims to a website that drops a ZIP archive from which is extracted a loader module masqueraded as a PDF file to trigger the execution.


Grandoreiro was first discovered six years ago as a modular backdoor that could perform a variety of functions. Researchers found that banking trojan is continuously evolving into sophisticated malware with novel anti-analysis characteristics, which allows attackers to gain full remote access to employees and organizations, posing a significant threat.
Cyware Publisher