Dorapepe

A BANKING TROJAN THAT STEALS CRYPTO IS TARGETING LATIN AMERICAN USERS

Last updated: June 19, 2025, 19:51 | Written by: Raoul Pal

A Banking Trojan That Steals Crypto Is Targeting Latin American Users
A Banking Trojan That Steals Crypto Is Targeting Latin American Users

The digital landscape in Latin America is facing a growing threat: banking trojans specifically designed to steal cryptocurrency.While banking trojans have been a persistent menace, particularly targeting Windows users across the region, the emergence of variants focused on cryptocurrency theft marks a significant escalation.These malicious programs are evolving rapidly, employing sophisticated techniques to bypass security measures and pilfer digital assets from unsuspecting victims.The impact of these attacks is far-reaching, affecting not just individuals but also financial institutions and the overall trust in the burgeoning crypto market within Latin America.

Imagine the frustration of carefully investing in cryptocurrency, only to have it vanish due to a sneaky piece of malware. Analysis Summary. Latin American financial institutions are under increasing threat from the Mekotio banking trojan, a Windows malware known for targeting countries such as Brazil, Chile, Mexico, Spain, Peru, and Portugal to steal banking credentials.This scenario is becoming increasingly common, compelling cybersecurity experts and users alike to take proactive steps to protect their digital wallets. Cybersecurity experts are warning about a family of banking trojans that target Windows users across Latin America, but this trojan happens to focusThis article delves into the details of these crypto-stealing banking trojans, examining their methods, targets, and, most importantly, how to defend against them. The Mekotio trojan went from conventional banking malware one fine-tuned to steal crypto. Cybersecurity experts are warning about a family of banking trojans that target Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies. According to a report published by cybersecurity firm ESET, the malware is known as Mekotio and MoreStay informed, stay vigilant, and let's navigate this evolving threat together.

The Rise of Crypto-Stealing Banking Trojans in Latin America

Latin America has long been a hotbed for banking trojan activity, with notorious malware families like Grandoreiro, Mekotio, and Casbaneiro dominating the threat landscape. Grandoreiro is a Latin American banking trojan, part of the Delphi-based malware family that includes Mekotio and Vadokrist. It primarily targets Windows machines and is designed to: Steal banking credentials ; Log keystrokes and monitor activity ; Grant remote access to attackers ; Bypass security defenses with sandbox evasionHowever, recent trends reveal a shift towards targeting cryptocurrency, reflecting the growing popularity and value of digital currencies in the region.This shift presents new challenges for cybersecurity professionals and demands a revised approach to threat detection and prevention.

These Trojans aren’t just randomly targeting computers; they are specifically crafted to identify and exploit users who are engaged in cryptocurrency transactions or storing crypto assets on their devices.This makes it crucial for crypto users in Latin America to understand the risks and implement robust security measures.

Mekotio: A Prime Example of Crypto-Focused Malware

One of the most prominent examples of this trend is the Mekotio trojan. Siber g venlik uzmanları, Windows kullanıcılarını hedefleyen bir bankacılık truva atı keşfetti. Bahsi ge en zararlı yazılım, kripto para alıyor. Siber g venlik firması ESET tarafından yayımlanan rapora g re, Mekotio olarak bilinen k t ama lı yazılım, Mart 2025'den beriInitially a conventional banking malware targeting traditional financial institutions, Mekotio has undergone significant updates to specifically target cryptocurrency users. A Banking Trojan That Steals Crypto Is Targeting Latin American Users By evilchild In Crypto Report Posted J 0 Comment(s) This post was originally published on this siteAccording to a report by cybersecurity firm ESET, Mekotio has been active since around March 2025, constantly evolving its capabilities and expanding its range of attack.

Mekotio primarily targets Windows users across Latin America and is known for:

  • Stealing cryptocurrency wallet credentials.
  • Monitoring user activity related to crypto exchanges.
  • Intercepting and modifying transaction data.
  • Bypassing security defenses with sophisticated evasion techniques.

The continuous evolution of Mekotio highlights the dynamic nature of these threats and the need for constant vigilance.Cybercriminals are actively adapting their tools and tactics to stay ahead of security measures, making it imperative to stay informed about the latest threats.

Grandoreiro: The Re-Emergence and Expansion of a Banking Trojan

The Grandoreiro banking trojan has resurfaced in recent phishing campaigns, targeting users not only in Latin America but also in Europe. Forcepoint states that the large-scale phishing campaigns use VPS hosting and obfuscation to evade detection. The cybersecurity firm uncovered a Grandoreiro campaign targeting users in Mexico, Argentina, and Spain via phishing emails impersonating tax agencies.Forcepoint reports that Grandoreiro, active since at least 2015, initially focused on Brazil before expanding its operations to Mexico, Portugal, and Spain.Grandoreiro is a Latin American banking trojan, part of the Delphi-based malware family that includes Mekotio and Vadokrist.It primarily targets Windows machines and is designed to:

  • Steal banking credentials.
  • Log keystrokes and monitor activity.
  • Grant remote access to attackers.
  • Bypass security defenses with sandbox evasion.

The re-emergence of Grandoreiro with enhanced sophistication underscores the persistent threat posed by established malware families. Cybersecurity experts are warning about a family of banking trojans that target Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies.[BREAK] According to a report published by cybersecurity firm ESET, the malware is known as Mekotio and has been active since approximately March 2025.[BREAK] Threat actors have been continuously upgrading theThe fact that it has expanded beyond its original territory demonstrates the increasing global reach of these cybercriminals. Zumanek is a malware categorized as a banking Remote Access Trojan (RAT). It was distributed in October 2025 targeting Latin American banking customers. This malware is distributed through social engineering. In this, cybercriminals use phishing tactics to trick users into downloading and installing Zumanek in their systems without their consent.In early May 2025, campaigns specifically targeted users in Colombia, masquerading as official notifications from The Judiciary of Colombia, particularly the Civil Circuit of Bogota.The attacks aimed to deliver the notorious banking trojan DCRat, a Malware-as-a-Service (MaaS) tool known for its affordability and widespread use.

Phishing Campaigns and Deception Techniques

Cybercriminals are employing increasingly sophisticated phishing campaigns to distribute Grandoreiro and other banking trojans. The cybersecurity firm uncovered a Grandoreiro campaign targeting users in Mexico, Argentina, and Spain via phishing emails impersonating tax agencies. Attackers use Contabo-hosted links to deliver obfuscated Visual Basic scripts and disguised EXE payloads for credential theft.These campaigns often involve:

  • Impersonating legitimate organizations, such as tax agencies or government institutions.
  • Using convincing email templates and subject lines to trick users into opening malicious attachments or clicking on infected links.
  • Employing techniques like URL obfuscation and VPS hosting to evade detection.

For example, cybersecurity firm Forcepoint uncovered a Grandoreiro campaign targeting users in Mexico, Argentina, and Spain via phishing emails impersonating tax agencies. Now though, a new version of an Android banking trojan has emerged that, in addition to stealing your passwords, funds from your banking and finance apps and your crypto, has gotten even better atAttackers used Contabo-hosted links to deliver obfuscated Visual Basic scripts and disguised EXE payloads for credential theft.These types of attacks highlight the importance of exercising caution when opening emails from unknown senders or clicking on suspicious links.

Zanubis: Targeting Mobile Users in Peru

The threat landscape extends beyond desktop computers, with mobile banking trojans like Zanubis posing a significant risk to users in Latin America. The Mekotio trojan went from conventional banking malware one fine-tuned to steal crypto. Cybersecurity experts are warning about a family of banking trojans that target Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies.Kaspersky Global Research and Analysis Team (GReAT) discovered a new version of Zanubis targeting users in Peru.Initially, in 2015, Zanubis mimicked PDF readers or Peruvian government organizations apps; in 2025, it disguises itself as apps of a local company in the energy sector and a local bank.

Mobile banking trojans like Zanubis can:

  • Steal credentials from mobile banking apps.
  • Intercept SMS messages containing two-factor authentication codes.
  • Gain remote access to the infected device.

The increasing sophistication of mobile banking trojans underscores the need for mobile users to be vigilant and adopt robust security practices, such as downloading apps only from official app stores and being cautious about granting permissions to apps.

DCRat and DroidBot: The Rise of Remote Access Trojans (RATs)

Beyond banking trojans, Remote Access Trojans (RATs) are also emerging as a significant threat to financial institutions and cryptocurrency users in Latin America and beyond. Kaspersky Global Research and Analysis Team (GReAT) discovered a new version of the Zanubis mobile banking trojan targeting users in Peru. When Zanubis originally emerged in 2025, it mimickedIBM X-Force researchers observed an active phishing campaign targeting Colombian users with fake legal notices in early May 2025. Los expertos en seguridad cibern tica advierten sobre una familia de troyanos bancarios que tienen como objetivo a usuarios de Windows en Am rica Latina, pero este troyano se enfoca en robar criptomonedas. Seg n un informe publicado por la empresa de seguridad cibern tica ESET, el malware seThis campaign, attributed to the financially motivated threat actor Hive0131, delivers the DCRat remote access trojan (RAT) via cleverly disguised emails impersonating the Civil Circuit of Bogot Judiciary.

Similarly, Cleafy Labs uncovered DroidBot, a new Android Remote Access Trojan targeting banks, crypto exchanges, and national organizations in Europe and beyond. A newly discovered Android remote access trojan (RAT) is targeting 77 banks, cryptocurrency exchanges, and national entities, fraud prevention firm Cleafy warns. Dubbed DroidBot, and active since mid-2025, the RAT has been used in multiple campaigns in Europe, mainly targeting users in France, Italy, Spain, and Turkey.Active since mid-2025, DroidBot has been used in multiple campaigns, mainly targeting users in France, Italy, Spain, and Turkey. A newly spotted banking trojan has been caught leveraging legitimate platforms like YouTube and Pastebin to store its encrypted, remote configuration and commandeer infected Windows systems, making it the latest to join the long list of malware targeting Latin America (LATAM) after Guildma, Javali, Melcoz, Grandoreiro, Mekotio, Casbaneiro, Amavaldo, Vadokrist, and Janeleiro.DroidBot operates with dual-channel communication and evolving tactics.

RATs enable attackers to remotely control infected devices, allowing them to:

  • Monitor user activity in real-time.
  • Steal sensitive information, including login credentials and financial data.
  • Deploy additional malware.
  • Execute fraudulent transactions.

The Mechanics of Attack: How These Trojans Operate

Understanding how these banking trojans operate is crucial for developing effective defenses.The typical attack chain involves several stages:

  1. Infection: The trojan is delivered to the victim's device, usually through phishing emails, malicious websites, or infected software downloads.
  2. Installation: Once executed, the trojan installs itself on the system, often using techniques to evade detection by antivirus software.
  3. Data Collection: The trojan begins collecting sensitive information, such as banking credentials, cryptocurrency wallet details, and keystrokes.
  4. Communication: The trojan communicates with a command-and-control (C&C) server, sending the stolen data to the attackers.
  5. Exfiltration: The attackers use the stolen data to access the victim's bank accounts or cryptocurrency wallets and transfer funds to their own accounts.

Each stage of the attack chain presents opportunities for detection and prevention. A banking trojan Mekotio has targeted Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies. It has been reported by cybersecurity firm ESET that Mekotio has been active since approximately March 2025. Since then, threat actors have been continuously upgrading the capabilities and range of attack, mostly known by targeting over 51 banksBy implementing robust security measures at each stage, users can significantly reduce their risk of falling victim to these attacks.

Protecting Yourself: Practical Steps to Mitigate the Risk

While the threat of crypto-stealing banking trojans may seem daunting, there are several practical steps that users can take to protect themselves:

  • Be wary of phishing emails: Always scrutinize emails from unknown senders, and avoid clicking on links or opening attachments from suspicious sources. According to a recent study by Group-IB, a ransomware known as ProLock relies on the Qakbot banking trojan to launch the attack and asks the targets for six-figure USD ransoms paidVerify the sender's identity by contacting them directly through a known phone number or email address.
  • Use strong passwords and enable two-factor authentication (2FA): Strong, unique passwords and 2FA can significantly reduce the risk of unauthorized access to your accounts.
  • Keep your software up to date: Regularly update your operating system, antivirus software, and other applications to patch security vulnerabilities.
  • Install a reputable antivirus program: A good antivirus program can detect and remove malware before it can cause harm.
  • Use a hardware wallet: A hardware wallet stores your cryptocurrency offline, making it much more difficult for attackers to steal your funds.
  • Be careful when downloading software: Only download software from trusted sources, such as official websites or app stores.Avoid downloading pirated software or cracks, as these are often bundled with malware.
  • Monitor your accounts regularly: Check your bank accounts and cryptocurrency wallets regularly for any suspicious activity.Report any unauthorized transactions immediately.
  • Educate yourself: Stay informed about the latest threats and security best practices.The more you know, the better equipped you will be to protect yourself.

The Importance of Cybersecurity Awareness Training

For businesses and organizations, cybersecurity awareness training is crucial. 16K subscribers in the CryptoCurrencyClassic community. The unofficial Wild Wild West of r/CryptoCurrency. CryptoCurrency Memes, News andEmployees need to be trained to recognize and avoid phishing scams, as well as to follow best practices for password management and software updates.Regular training sessions can help to create a security-conscious culture and reduce the risk of successful attacks.

The Role of Cybersecurity Firms in Combating These Threats

Cybersecurity firms like ESET, Forcepoint, Kaspersky, and Trend Micro play a vital role in combating crypto-stealing banking trojans.These firms:

  • Conduct research to identify new threats and understand how they operate.
  • Develop antivirus software and other security tools to detect and remove malware.
  • Provide threat intelligence and security advisories to help organizations stay informed about the latest threats.
  • Work with law enforcement agencies to investigate and prosecute cybercriminals.

By collaborating with cybersecurity firms, organizations can strengthen their defenses and improve their ability to respond to cyberattacks.

Looking Ahead: The Future of Crypto-Stealing Malware in Latin America

The threat of crypto-stealing malware in Latin America is likely to persist and evolve in the coming years. Cleafy Labs reveals DroidBot, a new Android Remote Access Trojan targeting banks, crypto exchanges, and national organisations in Europe and beyond. Learn how it operates with dual-channel communication and evolving tactics. Read here the full report.As cryptocurrency adoption continues to grow, cybercriminals will likely continue to target users in the region. In early May 2025, IBM X-Force researchers observed an active phishing campaign targeting Colombian users with fake legal notices. The campaign, attributed to the financially motivated threat actor Hive0131, delivers the DCRat remote access trojan (RAT) via cleverly disguised emails impersonating the Civil Circuit of Bogot Judiciary.We can expect to see:

  • Increasingly sophisticated attack techniques.
  • A greater focus on mobile devices.
  • The emergence of new malware families.
  • More targeted attacks against specific individuals and organizations.

To stay ahead of these threats, it is essential to maintain a proactive security posture, continuously monitor the threat landscape, and adapt security measures as needed.

Frequently Asked Questions (FAQ)

What is a banking trojan?

A banking trojan is a type of malware that is designed to steal financial information, such as login credentials, credit card numbers, and bank account details.These trojans typically operate by intercepting user input, such as keystrokes, or by injecting malicious code into banking websites or applications.

How do banking trojans steal cryptocurrency?

Banking trojans can steal cryptocurrency by targeting cryptocurrency wallets, exchanges, and other related applications.They may steal login credentials, intercept transaction data, or even replace wallet addresses with those controlled by the attackers.

What are the signs of a banking trojan infection?

Signs of a banking trojan infection may include:

  • Slow computer performance.
  • Unexpected pop-up windows.
  • Changes to your browser settings.
  • Suspicious activity in your bank accounts or cryptocurrency wallets.
  • Unusual error messages or system crashes.

What should I do if I think I have been infected with a banking trojan?

If you suspect that you have been infected with a banking trojan, you should:

  • Run a full system scan with a reputable antivirus program.
  • Change all of your passwords, including those for your bank accounts and cryptocurrency wallets.
  • Contact your bank and cryptocurrency exchange to report the incident.
  • Monitor your accounts for any suspicious activity.

Are Macs also vulnerable to banking trojans?

While Windows is the primary target of most banking trojans, Macs are not immune. A Banking Trojan That Steals Crypto Is Targeting Latin American Users. Share. Tweet. latest CEO of global crypto exchange Silicon Valley Bank BranchesCybercriminals are increasingly targeting macOS with malware, including banking trojans. Observed in early May 2025, these campaigns specifically target users in Colombia, masquerading as official notifications from The Judiciary of Colombia, particularly the Civil Circuit of Bogota. The attacks aim to deliver the notorious banking trojan DCRat, a Malware-as-a-Service (MaaS) tool known for its affordability and widespread use inTherefore, it is essential for Mac users to also implement robust security measures.

Conclusion: Staying Ahead of the Curve in a Dynamic Threat Landscape

The emergence of banking trojans targeting cryptocurrency users in Latin America represents a significant evolution in the cyber threat landscape.As cybercriminals continue to refine their techniques and expand their reach, it is crucial for individuals, businesses, and organizations to remain vigilant and proactive in their security efforts. This website is for Private Investors only. I am a private investor I am not a private investor I am not a private investorBy understanding the threats, implementing robust security measures, and staying informed about the latest developments, we can collectively mitigate the risk and protect our digital assets.Key takeaways include the importance of cybersecurity awareness, the need for strong passwords and two-factor authentication, and the value of partnering with cybersecurity firms to stay ahead of the curve. Os especialistas em seguran a cibern tica est o alertando sobre uma fam lia de trojans banc rios que visam usu rios de Windows na Am rica Latina, mas essa vers o do trojan se concentra no roubo de criptomoedas.Protecting your digital assets requires constant vigilance and adaptation.Don't wait until you're a victim; take action today!

Raoul Pal can be reached at [email protected].

Articles tagged with "New Features Coming to the XRP LedgerWhat They Could Mean" (0 found)

No articles found with this tag.

← Back to article

Related Tags

cointelegraph.com › news › a-banking-trojan-thatA Banking Trojan That Steals Crypto Is Targeting Latin www.securityweek.com › fresh-grandoreiro-bankingFresh Grandoreiro Banking Trojan Campaigns Target Latin cybersecuritynews.com › how-banking-trojan-grandoHow Banking Trojan Grandoreiro Is Evolving Tactics To Target undercodenews.com › grandoreiro-banking-trojanGrandoreiro Banking Trojan Returns: Phishing Attacks Hit gbhackers.com › dcrat-targets-latin-american-usersDCRat Targets Latin American Users to Steal Banking Credentials itsecuritynewsbox.com › index › Crooks are reviving the Grandoreiro banking trojan securityaffairs.com › Crooks are reviving the Grandoreiro banking trojan analyzingcrypto.com › a-banking-trojan-that-stealsA Banking Trojan That Steals Crypto Is Targeting Latin www.cashtechnews.com › › a-banking-trojanA Banking Trojan That Steals Crypto Is Targeting Latin cointelegraph.com.cach3.com › news › a-bankingA Banking Trojan That Steals Crypto Is Targeting Latin www.btcethereum.com › blog › A Banking Trojan That Steals Crypto Is Targeting Latin www.reddit.com › r › fuzzyoneA Banking Trojan That Steals Crypto Is Targeting Latin coinage.mx › news › a-banking-trojan-that-stealsA Banking Trojan That Steals Crypto Is Targeting Latin www.investing.com › news › cryptocurrency-newsA Banking Trojan That Steals Crypto Is Targeting Latin www.cryptonewspoint.com › post › mekotio-trojan Mekotio Trojan Targets Windows Users Across Latin America www.bitcoininsider.org › article › A Banking Trojan That Steals Crypto Is Targeting Latin www.kaspersky.com › about › press-releasesMobile malware posing as an invoice steals banking www.reddit.com › r › CryptoCurrencyClassicA banking trojan that steals crypto is targeting Latin instacoin.news › › a-banking-trojan-that-stealsA Banking Trojan That Steals Crypto Is Targeting Latin www.ohnocrypto.com › 2025 › 09Numando: A New Banking Trojan Targeting Latin American Users

Comments