Grandoreiro Trojan Distributed via Contabo-Hosted Servers in Phishing Campaigns
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
Cybercriminals are reviving the Grandoreiro banking trojan, targeting users in Latin America and Europe through large-scale phishing campaigns. The malware is distributed via emails impersonating tax agencies, leading victims to download malicious payloads from Contabo-hosted servers and Mediafire. The attack chain involves obfuscated VBS scripts and a Delphi-based EXE that steals credentials and connects to a C2 server. The campaign employs dynamic URLs, social engineering, and various obfuscation techniques to evade detection. Users in Mexico, Argentina, and Spain are primary targets, with the malware searching for Bitcoin wallet directories and system information. Frequent changes to subdomains under contaboserver[.]net are used to avoid detection.
OPENCTI LABELS :
grandoreiro,mediafire,contabo
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Grandoreiro Trojan Distributed via Contabo-Hosted Servers in Phishing Campaigns