How Banking Trojan Grandoreiro Is Evolving Tactics To Target Victims In LATAM 

A new wave of phishing emails is sweeping across Latin America, and once again, Grandoreiro is behind it. This banking trojan is no newcomer; it’s been active for years, evolving steadily into a more sophisticated and evasive threat.  

With targeted tactics like geofencing and DNS evasion, Grandoreiro is staying just ahead of standard security solutions. 

Before we dive into the latest campaign, let’s break down what Grandoreiro is and what it can actually do. 

What Is Grandoreiro? 

Grandoreiro is a Latin American banking trojan, part of the Delphi-based malware family that includes Mekotio and Vadokrist. It primarily targets Windows machines and is designed to: 

• Steal banking credentials 
• Log keystrokes and monitor activity 
• Grant remote access to attackers 
• Bypass security defenses with sandbox evasion 
• Limit execution via geolocation filtering 
• Communicate with C2 servers using DNS-over-HTTPS (DoH) tricks 

Originally seen in Brazil, Grandoreiro has extended its focus to Mexico, Peru, Chile, and other LATAM regions, all while keeping its operations under the radar of global detection systems. 

Grandoreiro’s New Geofencing Tactics In Latest LATAM Phishing Campaign 

Between February 19 and March 14, ANY.RUN researchers spotted a sharp spike in Grandoreiro activity, this time tied to a fresh wave of phishing attacks using geofencing to filter victims by location. And the campaign isn’t over yet. 

Let’s take a closer look at the tactics behind this campaign by walking through its full execution chain inside ANY.RUN’s secure interactive sandbox. 

View full execution chain 

Initial Access: Phishing Page With Malicious Attachment 

In this campaign, the infection starts with a phishing page. Inside the ANY.RUN sandbox, we can clearly see the fake web page pretending to offer a legitimate download, when it’s serving a malicious ZIP or RAR file containing the Grandoreiro loader. 

A closer look at the page reveals a red flag; it’s filled with random characters and broken formatting, a common sign of hastily generated phishing infrastructure designed to trick users into downloading malware. 

Equip your team with real-time visibility, deeper threat context, and the right solution to help them stop attacks before they escalate -> Start your 14-day ANY.RUN trial. 

The sandbox quickly flags suspicious activity: in the top-right corner of the interface, ANY.RUN gives an instant verdict of malicious behavior. 

Once the file is downloaded and opened, Grandoreiro doesn’t immediately spring into action. First, it checks the environment, starting with geolocation. 

Geolocation Check: Are You In LATAM? 

Right after execution, Grandoreiro checks the victim’s IP by pinging ip-api[.]com. If the location isn’t in a Latin American country, it shuts down immediately.  

This geofencing tactic helps the malware avoid unnecessary exposure and keeps the campaign tightly focused. 

DNS Evasion With Google 

Next up, Grandoreiro avoids using the system’s DNS settings. Instead, it queries dns.google to resolve its command-and-control (C2) domain. This trick helps it: 

• Bypass local DNS filtering 
• Keep connections under the radar 
• Ensure reliable communication with the C2 

Connecting To The C2 Server 

With the C2 domain resolved, the malware sends a GET request to establish a connection. This opens the door for the attacker to: 

• Deploy additional payloads 
• Steal credentials 
• Take remote control of the machine 

From here, Grandoreiro’s full capabilities are unlocked, and it begins collecting sensitive data while staying stealthy. 

Inside ANY.RUN’s sandbox, you can see all the tactics and techniques used by adversaries in a specific attack: 

What You Can Do: Detection & Response Tips 

Catching Grandoreiro early is crucial. Here’s what to watch for: 

• Unusual ZIP or RAR attachments disguised as PDFs 
• External DNS lookups to dns.google right after file execution 
• Geolocation checks using third-party services 
• Sudden outbound connections to unknown IPs 
• Post-execution behavior like scheduled tasks or file modification 

These signals, especially when combined, can help analysts flag and stop an infection before it spreads. 

Catch Cyber Attacks Before They Spread 

Grandoreiro is just one example of how malware is adapting to stay hidden. Static detection isn’t enough anymore. You need visibility into what malware does after it lands on a system. 

Instead of working in the dark, your team can investigate malware in real time inside ANY.RUN cloud sandbox, watch how it behaves, understand its logic, and see how it communicates.

From the very first phishing lure to the final C2 connection, you see everything as it happens. 

For your team, this means: 

• Faster, more confident decision-making 
• Clear evidence you can share across teams 
• Smarter detection logic, rooted in real-world behavior 
• A shorter path from investigation to prevention 

15,000+ teams use ANY.RUN to learn, adapt, and defend better every single day. Start your 14-day trial and see what modern threat analysis really looks like.