S0531: Grandoreiro
Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.[1][2]
Analyst context for executives and security teams
Grandoreiro matters because ATT&CK describes it as a Windows banking trojan, written in Delphi, operating under a Malware-as-a-Service model, with confirmed victims in Brazil, Mexico, Portugal, and Spain. The relationship set shows more than simple credential theft: it includes discovery of users, processes, windows, network settings, system information, email accounts, clipboard and keystroke collection, registry modification, browser extension persistence, obfuscation, file deletion, tool transfer, web-based command and control, and exfiltration over C2. For leaders, the decision value is whether Windows endpoint, identity, web proxy, and incident response controls can prove visibility across that chain rather than only blocking known hashes.
Executive priority
Treat this as a coverage-validation case for financially motivated malware behavior on Windows, especially where banking, finance operations, or users handling sensitive credentials are in scope. Because no official ATT&CK detection text is provided, executives should ask for evidence that controls cover the behaviors linked to Grandoreiro: credential collection, persistence, C2 over web protocols and legitimate web services, registry changes, browser extension abuse, and exfiltration over the same C2 channel. This is also useful for audit and resilience discussions: can the organization show endpoint, network, and identity evidence sufficient to investigate suspected credential theft and data movement?
Technical view
SOC and IR teams should build validation around the ATT&CK relationships rather than a single malware signature. On Windows endpoints, confirm visibility into process discovery, user and system discovery, application window enumeration, registry modification, file creation/deletion, suspicious binary characteristics such as padding or encoded content, and execution through Visual Basic or native APIs where logged. Collection coverage should include clipboard access and keylogging-related detections where available. Network teams should validate HTTP/S or other web-protocol C2 monitoring, connections to external web services that may act as dead drop resolvers or bidirectional C2 channels, inbound tool transfer, and data leaving through the same channel. Because the object has no MITRE-provided detection guidance, local baselining and correlation across host, network, and identity telemetry are essential.
Likely telemetry
- Windows endpoint process execution and parent/child process telemetry
- Process, user, system, network configuration, and application window discovery events where available
- Windows Registry modification events
- File creation, deletion, rename, and metadata telemetry, including unusually large or encoded/obfuscated binaries
- Script and Visual Basic execution telemetry where collected
Detection direction
- Do not rely only on hash or static malware detection; Binary Padding and Encrypted/Encoded File relationships indicate that static signatures can be weakened by altered file representation.
- Correlate discovery behaviors in short time windows: process discovery, system/user discovery, network configuration discovery, system time discovery, application window discovery, and email account discovery are more meaningful together than individually.
- Tune for Windows registry changes that support persistence or defense evasion, especially when paired with new executable activity, fileless storage patterns, or unusual browser extension changes.
- Review outbound web traffic for unusual client behavior, repeated contact with external web services, web-based C2 patterns, tool transfer, and exfiltration over the same channel; expect false positives from legitimate web and SaaS use.
- Validate alert paths for collection behaviors such as keylogging and clipboard access, but document blind spots because many environments do not log these actions with high fidelity.
Mitigation priorities
- Prioritize Windows endpoint detection and response coverage for execution, discovery, registry, file, browser extension, and collection behaviors.
- Harden identity and credential use for high-risk users and finance-related workflows, including strong authentication and rapid credential reset procedures after suspected keylogging or clipboard collection.
- Apply controlled browser extension governance and monitor extension installation or modification on managed endpoints.
- Restrict and monitor unnecessary script execution, Visual Basic usage, and suspicious native API-driven behavior where practical without disrupting business operations.
- Use egress filtering, proxy logging, and network monitoring to limit and investigate unauthorized web-protocol C2, external web service abuse, tool transfer, and exfiltration over C2.
Analyst notes and limits
The object is a malware entry for Grandoreiro, ATT&CK S0531, in enterprise-attack, with Windows as the supplied platform. MITRE’s description states it is a Delphi banking trojan first observed in 2016, uses a MaaS business model, and has confirmed victims in Brazil, Mexico, Portugal, and Spain. The practical defensive picture comes mainly from the listed uses relationships to ATT&CK techniques across discovery, execution, persistence, defense evasion/stealth, collection, credential access, command and control, exfiltration, and defense impairment.
Official detection guidance is not provided for this object, and tactics are not specified on the malware object itself. This take is therefore based on the official description, external references, platform field, and supplied relationship context. Local telemetry, business geography, user roles, financial workflows, and control architecture are required to assess actual exposure or detection coverage.
Grandoreiro
Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.005 | Visual Basic Sub-technique | Grandoreiro can use VBScript to execute malicious code.CitationSecurelist Brazilian Banking Malware July 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Grandoreiro has used malicious links to gain execution on victim machines.CitationIBM Grandoreiro April 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1057 | Process Discovery | Grandoreiro can identify installed security tools based on process names.CitationESET Grandoreiro April 2020 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions.CitationIBM Grandoreiro April 2020 |
| Enterprise | T1539 | Steal Web Session Cookie | Grandoreiro can steal the victim's cookies to use for duplicating the active session from another device.CitationIBM Grandoreiro April 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Grandoreiro can download its second stage from a hardcoded URL within the loader's code.CitationIBM Grandoreiro April 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Grandoreiro can use SSL in C2 communication.CitationIBM Grandoreiro April 2020 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | Grandoreiro can obtain C2 information from Google Docs.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Grandoreiro has named malicious browser extensions and update files to appear legitimate.CitationIBM Grandoreiro April 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1112 | Modify Registry | Grandoreiro can modify the Registry to store its configuration at `HKCU\Software\` under frequently changing names including |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Grandoreiro can utilize web services including Google sites to send and receive C2 data.CitationIBM Grandoreiro April 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Grandoreiro can send data it retrieves to the C2 server.CitationESET Grandoreiro April 2020 |
| Enterprise | T1222.001 | Windows Permissions Sub-technique | Grandoreiro can modify the binary ACL to prevent security tools from running.CitationESET Grandoreiro April 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.CitationSecurelist Brazilian Banking Malware July 2020CitationESET Grandoreiro April 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1124 | System Time Discovery | Grandoreiro can determine the time on the victim machine via IPinfo.CitationESET Grandoreiro April 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Grandoreiro can use run keys and create link files in the startup folder for persistence.CitationIBM Grandoreiro April 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Grandoreiro has infected victims via malicious attachments.CitationIBM Grandoreiro April 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Grandoreiro can collect the username from the victim's machine.CitationESET Grandoreiro April 2020 |
| Enterprise | T1010 | Application Window Discovery | Grandoreiro can identify installed security tools based on window names.CitationESET Grandoreiro April 2020 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | Grandoreiro can store its configuration in the Registry at `HKCU\Software\` under frequently changing names including |
| Enterprise | T1087.003 | Email Account Sub-technique | Grandoreiro can parse Outlook .pst files to extract e-mail addresses.CitationESET Grandoreiro April 2020 |
| Enterprise | T1082 | System Information Discovery | Grandoreiro can collect the computer name and OS version from a compromised host.CitationESET Grandoreiro April 2020 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Grandoreiro has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.CitationESET Grandoreiro April 2020 |
| Enterprise | T1218.007 | Msiexec Sub-technique | Grandoreiro can use MSI files to execute DLLs.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Grandoreiro can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.CitationESET Grandoreiro April 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1185 | Browser Session Hijacking | Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.CitationSecurelist Brazilian Banking Malware July 2020CitationIBM Grandoreiro April 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Grandoreiro can log keystrokes on the victim's machine.CitationESET Grandoreiro April 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Grandoreiro can delete .LNK files created in the Startup folder.CitationESET Grandoreiro April 2020 |
| Enterprise | T1497.001 | System Checks Sub-technique | Grandoreiro can detect VMWare via its I/O port and Virtual PC via the |
| Enterprise | T1685 | Disable or Modify Tools | Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.CitationESET Grandoreiro April 2020 |
| Enterprise | T1115 | Clipboard Data | Grandoreiro can capture clipboard data from a compromised host.CitationIBM Grandoreiro April 2020 |
| Enterprise | T1176.001 | Browser Extensions Sub-technique | Grandoreiro can use malicious browser extensions to steal cookies and other user information.CitationIBM Grandoreiro April 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Grandoreiro can decrypt its encrypted internal strings.CitationESET Grandoreiro April 2020 |
| Enterprise | T1189 | Drive-by Compromise | Grandoreiro has used compromised websites and Google Ads to bait victims into downloading its installer.CitationSecurelist Brazilian Banking Malware July 2020CitationIBM Grandoreiro April 2020 |
| Enterprise | T1686.002 | Network Device Firewall Sub-technique | Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level. CitationESET Grandoreiro April 2020 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Grandoreiro can bypass UAC by registering as the default handler for .MSC files.CitationESET Grandoreiro April 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Grandoreiro can determine the IP and physical location of the compromised host via IPinfo.CitationESET Grandoreiro April 2020 |
| Enterprise | T1106 | Native API | Grandoreiro can execute through the |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | Grandoreiro can use a DGA for hiding C2 addresses, including use of an algorithm with a user-specific key that changes daily.CitationSecurelist Brazilian Banking Malware July 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Grandoreiro has the ability to use HTTP in C2 communications.CitationIBM Grandoreiro April 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Grandoreiro has been spread via malicious links embedded in e-mails.CitationIBM Grandoreiro April 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Grandoreiro can steal cookie data and credentials from Google Chrome.CitationIBM Grandoreiro April 2020CitationESET Grandoreiro April 2020 |
| Enterprise | T1686 | Disable or Modify System Firewall | Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.CitationESET Grandoreiro April 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a50e89f57a9d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Securelist Brazilian Banking Malware July 2020
GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
Open source URL -
[2]
ESET Grandoreiro April 2020
ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
Open source URL -
[3]
mitre-attack S0531Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.