A BANKING TROJAN THAT STEALS CRYPTO IS TARGETING LATIN AMERICAN USERS

Last updated: June 19, 2025, 18:59 | Written by: Caitlin Long

The digital landscape in Latin America is facing a growing threat: banking trojans specifically designed to steal cryptocurrency. The Mekotio trojan went from conventional banking malware one fine-tuned to steal crypto Please note, this is a STATIC archive of website cointelegraph.com from, cach3.com does not collect or store any user information, there is no phishing involved.While banking trojans have been a persistent menace, particularly targeting Windows users across the region, the emergence of variants focused on cryptocurrency theft marks a significant escalation. In early May 2025, IBM X-Force researchers observed an active phishing campaign targeting Colombian users with fake legal notices. The campaign, attributed to the financially motivated threat actor Hive0131, delivers the DCRat remote access trojan (RAT) via cleverly disguised emails impersonating the Civil Circuit of Bogot Judiciary.These malicious programs are evolving rapidly, employing sophisticated techniques to bypass security measures and pilfer digital assets from unsuspecting victims.The impact of these attacks is far-reaching, affecting not just individuals but also financial institutions and the overall trust in the burgeoning crypto market within Latin America.

Imagine the frustration of carefully investing in cryptocurrency, only to have it vanish due to a sneaky piece of malware.This scenario is becoming increasingly common, compelling cybersecurity experts and users alike to take proactive steps to protect their digital wallets.This article delves into the details of these crypto-stealing banking trojans, examining their methods, targets, and, most importantly, how to defend against them. The Mekotio trojan went from conventional banking malware one fine-tuned to steal crypto. Cybersecurity experts are warning about a family of banking trojans that target Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies. According to a report published by cybersecurity firm ESET, the malware is known as Mekotio and MoreStay informed, stay vigilant, and let's navigate this evolving threat together.

The Rise of Crypto-Stealing Banking Trojans in Latin America

Latin America has long been a hotbed for banking trojan activity, with notorious malware families like Grandoreiro, Mekotio, and Casbaneiro dominating the threat landscape. A newly spotted banking trojan has been caught leveraging legitimate platforms like YouTube and Pastebin to store its encrypted, remote configuration and commandeer infected Windows systems, making it the latest to join the long list of malware targeting Latin America (LATAM) after Guildma, Javali, Melcoz, Grandoreiro, Mekotio, Casbaneiro, Amavaldo, Vadokrist, and Janeleiro.However, recent trends reveal a shift towards targeting cryptocurrency, reflecting the growing popularity and value of digital currencies in the region. Cleafy Labs reveals DroidBot, a new Android Remote Access Trojan targeting banks, crypto exchanges, and national organisations in Europe and beyond. Learn how it operates with dual-channel communication and evolving tactics. Read here the full report.This shift presents new challenges for cybersecurity professionals and demands a revised approach to threat detection and prevention.

These Trojans aren’t just randomly targeting computers; they are specifically crafted to identify and exploit users who are engaged in cryptocurrency transactions or storing crypto assets on their devices.This makes it crucial for crypto users in Latin America to understand the risks and implement robust security measures.

Mekotio: A Prime Example of Crypto-Focused Malware

One of the most prominent examples of this trend is the Mekotio trojan.Initially a conventional banking malware targeting traditional financial institutions, Mekotio has undergone significant updates to specifically target cryptocurrency users. Cybersecurity experts are warning about a family of banking trojans that target Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies.[BREAK] According to a report published by cybersecurity firm ESET, the malware is known as Mekotio and has been active since approximately March 2025.[BREAK] Threat actors have been continuously upgrading theAccording to a report by cybersecurity firm ESET, Mekotio has been active since around March 2025, constantly evolving its capabilities and expanding its range of attack.

Mekotio primarily targets Windows users across Latin America and is known for:

Stealing cryptocurrency wallet credentials.
Monitoring user activity related to crypto exchanges.
Intercepting and modifying transaction data.
Bypassing security defenses with sophisticated evasion techniques.

The continuous evolution of Mekotio highlights the dynamic nature of these threats and the need for constant vigilance.Cybercriminals are actively adapting their tools and tactics to stay ahead of security measures, making it imperative to stay informed about the latest threats.

Grandoreiro: The Re-Emergence and Expansion of a Banking Trojan

The Grandoreiro banking trojan has resurfaced in recent phishing campaigns, targeting users not only in Latin America but also in Europe. Now though, a new version of an Android banking trojan has emerged that, in addition to stealing your passwords, funds from your banking and finance apps and your crypto, has gotten even better atForcepoint reports that Grandoreiro, active since at least 2015, initially focused on Brazil before expanding its operations to Mexico, Portugal, and Spain.Grandoreiro is a Latin American banking trojan, part of the Delphi-based malware family that includes Mekotio and Vadokrist. Los expertos en seguridad cibern tica advierten sobre una familia de troyanos bancarios que tienen como objetivo a usuarios de Windows en Am rica Latina, pero este troyano se enfoca en robar criptomonedas. Seg n un informe publicado por la empresa de seguridad cibern tica ESET, el malware seIt primarily targets Windows machines and is designed to:

Steal banking credentials.
Log keystrokes and monitor activity.
Grant remote access to attackers.
Bypass security defenses with sandbox evasion.

The re-emergence of Grandoreiro with enhanced sophistication underscores the persistent threat posed by established malware families.The fact that it has expanded beyond its original territory demonstrates the increasing global reach of these cybercriminals. A banking trojan Mekotio has targeted Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies. It has been reported by cybersecurity firm ESET that Mekotio has been active since approximately March 2025. Since then, threat actors have been continuously upgrading the capabilities and range of attack, mostly known by targeting over 51 banksIn early May 2025, campaigns specifically targeted users in Colombia, masquerading as official notifications from The Judiciary of Colombia, particularly the Civil Circuit of Bogota. The Grandoreiro banking trojan has reemerged in fresh phishing campaigns targeting users in Latin America and Europe, cybersecurity firm Forcepoint reports. Active since at least 2025, the trojan initially operated in Brazil only, but started targeting Mexico, Portugal, and Spain in a series of attacks observed roughly half a decade ago.The attacks aimed to deliver the notorious banking trojan DCRat, a Malware-as-a-Service (MaaS) tool known for its affordability and widespread use.

Phishing Campaigns and Deception Techniques

Cybercriminals are employing increasingly sophisticated phishing campaigns to distribute Grandoreiro and other banking trojans.These campaigns often involve:

Impersonating legitimate organizations, such as tax agencies or government institutions.
Using convincing email templates and subject lines to trick users into opening malicious attachments or clicking on infected links.
Employing techniques like URL obfuscation and VPS hosting to evade detection.

For example, cybersecurity firm Forcepoint uncovered a Grandoreiro campaign targeting users in Mexico, Argentina, and Spain via phishing emails impersonating tax agencies.Attackers used Contabo-hosted links to deliver obfuscated Visual Basic scripts and disguised EXE payloads for credential theft.These types of attacks highlight the importance of exercising caution when opening emails from unknown senders or clicking on suspicious links.

Zanubis: Targeting Mobile Users in Peru

The threat landscape extends beyond desktop computers, with mobile banking trojans like Zanubis posing a significant risk to users in Latin America. A newly discovered Android remote access trojan (RAT) is targeting 77 banks, cryptocurrency exchanges, and national entities, fraud prevention firm Cleafy warns. Dubbed DroidBot, and active since mid-2025, the RAT has been used in multiple campaigns in Europe, mainly targeting users in France, Italy, Spain, and Turkey.Kaspersky Global Research and Analysis Team (GReAT) discovered a new version of Zanubis targeting users in Peru. crypto markets; eth-bch vs btc; bitcoin price; ethereum price; cardano (ada) price; solana (sol) price; ripple (xrp) price; polkadot (dot) price; dogecoin (doge) price;Initially, in 2015, Zanubis mimicked PDF readers or Peruvian government organizations apps; in 2025, it disguises itself as apps of a local company in the energy sector and a local bank.

Mobile banking trojans like Zanubis can:

Steal credentials from mobile banking apps.
Intercept SMS messages containing two-factor authentication codes.
Gain remote access to the infected device.

The increasing sophistication of mobile banking trojans underscores the need for mobile users to be vigilant and adopt robust security practices, such as downloading apps only from official app stores and being cautious about granting permissions to apps.

DCRat and DroidBot: The Rise of Remote Access Trojans (RATs)

Beyond banking trojans, Remote Access Trojans (RATs) are also emerging as a significant threat to financial institutions and cryptocurrency users in Latin America and beyond. 16K subscribers in the CryptoCurrencyClassic community. The unofficial Wild Wild West of r/CryptoCurrency. CryptoCurrency Memes, News andIBM X-Force researchers observed an active phishing campaign targeting Colombian users with fake legal notices in early May 2025.This campaign, attributed to the financially motivated threat actor Hive0131, delivers the DCRat remote access trojan (RAT) via cleverly disguised emails impersonating the Civil Circuit of Bogot Judiciary.

Similarly, Cleafy Labs uncovered DroidBot, a new Android Remote Access Trojan targeting banks, crypto exchanges, and national organizations in Europe and beyond.Active since mid-2025, DroidBot has been used in multiple campaigns, mainly targeting users in France, Italy, Spain, and Turkey. Kaspersky Global Research and Analysis Team (GReAT) discovered a new version of the Zanubis mobile banking trojan targeting users in Peru. When Zanubis originally emerged in 2025, it mimicked PDF readers or Peru government organizations apps, and now in 2025 it disguises itself as two new apps one of a local company in the energy sector and the other of a local bank.DroidBot operates with dual-channel communication and evolving tactics.

RATs enable attackers to remotely control infected devices, allowing them to:

Monitor user activity in real-time.
Steal sensitive information, including login credentials and financial data.
Deploy additional malware.
Execute fraudulent transactions.

The Mechanics of Attack: How These Trojans Operate

Understanding how these banking trojans operate is crucial for developing effective defenses. Siber g venlik uzmanları, Windows kullanıcılarını hedefleyen bir bankacılık truva atı keşfetti. Bahsi ge en zararlı yazılım, kripto para alıyor. Siber g venlik firması ESET tarafından yayımlanan rapora g re, Mekotio olarak bilinen k t ama lı yazılım, Mart 2025'den beriThe typical attack chain involves several stages:

Infection: The trojan is delivered to the victim's device, usually through phishing emails, malicious websites, or infected software downloads.
Installation: Once executed, the trojan installs itself on the system, often using techniques to evade detection by antivirus software.
Data Collection: The trojan begins collecting sensitive information, such as banking credentials, cryptocurrency wallet details, and keystrokes.
Communication: The trojan communicates with a command-and-control (C&C) server, sending the stolen data to the attackers.
Exfiltration: The attackers use the stolen data to access the victim's bank accounts or cryptocurrency wallets and transfer funds to their own accounts.

Each stage of the attack chain presents opportunities for detection and prevention.By implementing robust security measures at each stage, users can significantly reduce their risk of falling victim to these attacks.

Protecting Yourself: Practical Steps to Mitigate the Risk

While the threat of crypto-stealing banking trojans may seem daunting, there are several practical steps that users can take to protect themselves:

Be wary of phishing emails: Always scrutinize emails from unknown senders, and avoid clicking on links or opening attachments from suspicious sources.Verify the sender's identity by contacting them directly through a known phone number or email address.
Use strong passwords and enable two-factor authentication (2FA): Strong, unique passwords and 2FA can significantly reduce the risk of unauthorized access to your accounts.
Keep your software up to date: Regularly update your operating system, antivirus software, and other applications to patch security vulnerabilities.
Install a reputable antivirus program: A good antivirus program can detect and remove malware before it can cause harm.
Use a hardware wallet: A hardware wallet stores your cryptocurrency offline, making it much more difficult for attackers to steal your funds.
Be careful when downloading software: Only download software from trusted sources, such as official websites or app stores.Avoid downloading pirated software or cracks, as these are often bundled with malware.
Monitor your accounts regularly: Check your bank accounts and cryptocurrency wallets regularly for any suspicious activity.Report any unauthorized transactions immediately.
Educate yourself: Stay informed about the latest threats and security best practices.The more you know, the better equipped you will be to protect yourself.

The Importance of Cybersecurity Awareness Training

For businesses and organizations, cybersecurity awareness training is crucial.Employees need to be trained to recognize and avoid phishing scams, as well as to follow best practices for password management and software updates.Regular training sessions can help to create a security-conscious culture and reduce the risk of successful attacks.

The Role of Cybersecurity Firms in Combating These Threats

Cybersecurity firms like ESET, Forcepoint, Kaspersky, and Trend Micro play a vital role in combating crypto-stealing banking trojans. Grandoreiro is a Latin American banking trojan, part of the Delphi-based malware family that includes Mekotio and Vadokrist. It primarily targets Windows machines and is designed to: Steal banking credentials ; Log keystrokes and monitor activity ; Grant remote access to attackers ; Bypass security defenses with sandbox evasionThese firms:

Conduct research to identify new threats and understand how they operate.
Develop antivirus software and other security tools to detect and remove malware.
Provide threat intelligence and security advisories to help organizations stay informed about the latest threats.
Work with law enforcement agencies to investigate and prosecute cybercriminals.

By collaborating with cybersecurity firms, organizations can strengthen their defenses and improve their ability to respond to cyberattacks.

Looking Ahead: The Future of Crypto-Stealing Malware in Latin America

The threat of crypto-stealing malware in Latin America is likely to persist and evolve in the coming years.As cryptocurrency adoption continues to grow, cybercriminals will likely continue to target users in the region. Zumanek is a malware categorized as a banking Remote Access Trojan (RAT). It was distributed in October 2025 targeting Latin American banking customers. This malware is distributed through social engineering. In this, cybercriminals use phishing tactics to trick users into downloading and installing Zumanek in their systems without their consent.We can expect to see:

Increasingly sophisticated attack techniques.
A greater focus on mobile devices.
The emergence of new malware families.
More targeted attacks against specific individuals and organizations.

To stay ahead of these threats, it is essential to maintain a proactive security posture, continuously monitor the threat landscape, and adapt security measures as needed.

Frequently Asked Questions (FAQ)

What is a banking trojan?

A banking trojan is a type of malware that is designed to steal financial information, such as login credentials, credit card numbers, and bank account details.These trojans typically operate by intercepting user input, such as keystrokes, or by injecting malicious code into banking websites or applications.

How do banking trojans steal cryptocurrency?

Banking trojans can steal cryptocurrency by targeting cryptocurrency wallets, exchanges, and other related applications.They may steal login credentials, intercept transaction data, or even replace wallet addresses with those controlled by the attackers.

What are the signs of a banking trojan infection?

Signs of a banking trojan infection may include:

Slow computer performance.
Unexpected pop-up windows.
Changes to your browser settings.
Suspicious activity in your bank accounts or cryptocurrency wallets.
Unusual error messages or system crashes.

What should I do if I think I have been infected with a banking trojan?

If you suspect that you have been infected with a banking trojan, you should:

Run a full system scan with a reputable antivirus program.
Change all of your passwords, including those for your bank accounts and cryptocurrency wallets.
Contact your bank and cryptocurrency exchange to report the incident.
Monitor your accounts for any suspicious activity.

Are Macs also vulnerable to banking trojans?

While Windows is the primary target of most banking trojans, Macs are not immune.Cybercriminals are increasingly targeting macOS with malware, including banking trojans.Therefore, it is essential for Mac users to also implement robust security measures.

Conclusion: Staying Ahead of the Curve in a Dynamic Threat Landscape

The emergence of banking trojans targeting cryptocurrency users in Latin America represents a significant evolution in the cyber threat landscape. A Banking Trojan That Steals Crypto Is Targeting Latin American Users. Share. Tweet. latest CEO of global crypto exchange Silicon Valley Bank BranchesAs cybercriminals continue to refine their techniques and expand their reach, it is crucial for individuals, businesses, and organizations to remain vigilant and proactive in their security efforts. Cybercriminals have brought back a notorious threat the Grandoreiro banking trojan with a new level of sophistication. This malware, previously known for targeting banking users, has been re-engineered and is now being deployed in widespread phishing campaigns across Latin America and Europe.By understanding the threats, implementing robust security measures, and staying informed about the latest developments, we can collectively mitigate the risk and protect our digital assets.Key takeaways include the importance of cybersecurity awareness, the need for strong passwords and two-factor authentication, and the value of partnering with cybersecurity firms to stay ahead of the curve.Protecting your digital assets requires constant vigilance and adaptation. Os especialistas em seguran a cibern tica est o alertando sobre uma fam lia de trojans banc rios que visam usu rios de Windows na Am rica Latina, mas essa vers o do trojan se concentra no roubo de criptomoedas.Don't wait until you're a victim; take action today!