Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively. That's according to new findings from WatchGuard and ESET, which have observed the two malware families being used to single out companies in Spain, Portugal, and Mexico, as well as mobile users in Brazil. The Grandoreiro campaign "uses the DLL Side-Loading technique abusing four different software, targeting banks in Portugal," WatchGuard researcher Euler Neto said. Active since 2016, Grandoreiro is an actively evolving banking malware that's capable of stealing credentials associated with thousands of financial institutions across 45 countries and territories. It's typically distributed via phishing emails, instructing recipients to click on sketchy links. Despite some arrests and attempts by Brazilian authorities to dismantle its infrastructure in early 2024, the malware has continued to expand its targeting footprint, while incorporating CAPTCHA checks to resist analysis. The latest campaign flagged by WatchGuard has been found to leverage DLL side-loading to launch DLLs that are developed in Delphi 11, a programming language commonly used for malware targeting the region. Two of the DLLs - mingwm10.dll and libwebp.dll - have been found to incorporate sgcWebSockets, a WebSocket and real-time communication library, for peer-to-peer (P2P) and WebRTC communications. "The DLLs associated with this case use the Session Traversal Utilities for NAT (STUN) protocol, which is a protocol that helps devices behind a NAT discover their public IP address and port number, enabling peer-to-peer communication," WatchGuard explained. "The advantage for threat actors to use web conferencing traffic in their campaigns is due to this traffic being noisy, being difficult to monitor, and due to WebRTC being commonly used across all major web-conferencing platforms."