3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Grandoreiro

Grandoreiro

ID: 6d0bd1b0d6daf2b370bd8371bb41ae1353025
Crimeware Banking Malware
Threat types: Malware, Cybercrime, Malware-as-a-Service, Banking Trojan, Financial Fraud
Brazil
Updated: 2026-02-26
Created: 2026-02-26
Progress: 67% Completeness: 66% Freshness: 70%
Operation zone:
Aliases Limited alias preview
Delephant Tetrade
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Grandoreiro is a long-running Latin American banking trojan ecosystem used for direct financial fraud. Public reporting describes phishing-driven delivery and multi-component payloads, followed by on-host interaction capabilities (keylogging, mouse simulation, screen sharing/control, and deceptive pop-ups) that enable account takeover and unauthorized transfers. 2024 analyses describe infrastructure churn and DGA-driven domain rotation, and law enforcement reporting describes laundering via mule networks. Defensive focus should prioritize phishing prevention, application control on finance endpoints, behavior-first hunting for input capture/overlay/control capabilities, and a dynamic IOC lifecycle with first_seen/last_seen.


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2024-03-18 — Phishing emails used to deliver the malware (impersonating recognized entities). · ref
  • 2024-03-01 — Large-scale phishing campaigns distributing Grandoreiro observed since March 2024. · ref
T1204.002 Malicious File TA0002
  • 2022-01-01 — User clicks link / downloads and executes installer as part of infection chain described in technical study. · ref
T1056.001 Keylogging TA0006 TA0009
  • 2024-03-18 — INTERPOL describes the malware recording keystrokes to collect credentials. · ref
T1564.002 Hidden Users TA0005
  • 2024-03-18 — Deceptive pop-ups/overlays presented to harvest banking identifiers and guide fraud steps. · ref
T1113 Screen Capture TA0009
  • 2024-03-18 — Screen sharing/control capability described by INTERPOL as part of fraud enablement. · ref
T1071.001 Web Protocols TA0011
  • 2024-10-22 — Kaspersky describes C2 communications using DGA and rotating infrastructure (HTTP/S). · ref
T1568.002 Domain Generation Algorithms TA0011
  • 2024-03-01 — IBM describes DGA calculation updates enabling many different C2 domains per day. · ref
T1098.001 Additional Cloud Credentials TA0003 TA0004
  • 2024-03-01 — IBM describes harvesting email addresses and using Outlook client to send further phishing emails from infected hosts (propagation). · ref
T1105 Ingress Tool Transfer TA0011
  • 2022-01-01 — Technical study describes downloader components fetching encrypted payloads from a URL (inbound transfer). · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-26T03:53:50+00:00

Preliminary Intelligence — Grandoreiro

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Grandoreiro


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Grandoreiro (Phishing → Installer → On‑Host Fraud Enablement)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-26T03:55:27+00:00

IOC Appendix — Grandoreiro (Operational Seed Set)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-26T03:57:31+00:00

OSINT Library — Grandoreiro


2024-10-22 — Kaspersky Securelist — “Grandoreiro banking trojan: overview of recent versions and new tricks”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.