Trojan:Win32/Grandoreiro.A is a sophisticated banking trojan that specifically targets financial institutions and their customers across Latin America, Europe, and increasingly worldwide. First documented in 2016, Grandoreiro belongs to a broader family of Brazilian-origin banking malware that has evolved significantly in complexity and scope. This trojan specializes in stealing banking credentials, credit card information, and other sensitive financial data through screen overlay attacks, keylogging, and direct manipulation of browser sessions during online banking activities.

trojangrandoreiroa-removal cybersecurity illustration
Photo by Tima Miroshnichenko on Pexels

What makes Grandoreiro particularly dangerous is its modular architecture and geographic awareness—it can identify which country and which specific banks a victim uses, then deploy customized overlay windows that perfectly mimic legitimate banking login pages. The malware operators continuously update their target lists and social engineering tactics, making Grandoreiro an ongoing threat to anyone conducting financial transactions online.

Think you're infected right now? Immediately disconnect your computer from the internet (unplug ethernet or disable Wi-Fi), do not conduct any financial transactions, and call your bank to alert them of potential compromise. Contact Computer Repair Roswell at (770) 679-9864 for emergency malware removal—banking trojans require immediate professional attention to prevent financial loss.

Threat Profile

Attribute Details
Threat Family Grandoreiro banking trojan (Latin American banking malware cluster)
Classification Trojan-Banker, credential stealer, overlay malware
Aliases Win32/Grandoreiro, Trojan.Grandoreiro, BKDR_GRANDOREIRO (known across vendor databases)
Platform Windows (all versions from Windows 7 through Windows 11)
First Documented 2016, with major evolution phases in 2019 and 2020
Primary Distribution Phishing emails with malicious attachments (MSI installers, ZIP archives), fake software updates, compromised websites with drive-by downloads
Persistence Mechanisms Registry Run keys, scheduled tasks, DLL injection into legitimate processes (explorer.exe, svchost.exe)
Core Capabilities Keylogging, screen capture, mouse/keyboard control simulation, browser overlay injection, clipboard monitoring, anti-VM/sandbox detection, geographic targeting
Target Institutions Over 1,500 banks and financial institutions worldwide (initially Brazil-focused, now global including US, Spain, Portugal, Mexico)
Network Behavior Communicates with command-and-control servers using encrypted channels, downloads configuration updates including target bank lists and overlay templates
Data Exfiltration Sends captured credentials, screenshots, and system information to attacker-controlled servers in real-time during banking sessions
Removal Difficulty High—uses process injection, multiple persistence points, and may reinstall components if removal is incomplete

How It Spreads

Grandoreiro's operators rely heavily on social engineering campaigns tailored to their target regions. The most common infection vector is spear-phishing emails that impersonate government agencies, tax authorities, utility companies, or shipping services. These emails contain urgent messages about unpaid bills, tax refunds, package deliveries, or account suspensions—all designed to provoke immediate action without careful scrutiny. The attachments typically appear as PDFs or documents but are actually MSI installer packages, ZIP archives containing executables, or weaponized Office documents with macros.

The malware's distribution infrastructure is sophisticated and constantly rotating. Attackers use compromised legitimate websites to host malware payloads, making detection more difficult since the download sources aren't flagged as malicious by reputation systems. In some campaigns, victims are directed through multiple redirect chains before reaching the final payload, with each step performing checks to avoid security researchers and automated analysis systems. The trojan can also spread through malvertising campaigns on legitimate websites and through fake software update notifications that appear while browsing.

Common distribution methods include:

  • Phishing emails with urgent financial or legal themes containing MSI installers disguised as PDF readers or document viewers
  • Fake government notices particularly from tax authorities (IRS in US, Receita Federal in Brazil, AEAT in Spain) with malicious attachments
  • Compromised website downloads where legitimate sites are exploited to host and distribute the trojan payload
  • Malicious advertisements on popular websites offering free software, games, or utilities that bundle Grandoreiro
  • Fake software updates for browsers, Flash Player, Java, or PDF readers that actually install the banking trojan
  • ZIP archives containing executables with double extensions (like "invoice.pdf.exe") to fool users into thinking they're documents
  • Exploit kit campaigns targeting unpatched vulnerabilities in browsers and plugins (less common but documented)

What It Does On Your Machine

Once executed, Grandoreiro performs extensive reconnaissance on the infected system. It identifies the operating system version, installed security software, geographic location (through IP geolocation and system language settings), and most critically, which banking websites the user visits. The trojan monitors browser activity constantly, waiting for the victim to navigate to any of its target financial institutions. It maintains an extensive configuration file—regularly updated from its command-and-control servers—containing information about hundreds of banks including their URLs, the specific form fields where credentials are entered, and customized overlay templates designed to match each bank's login interface.

When you visit a targeted banking website, Grandoreiro springs into action with remarkable precision. It injects fake overlay windows directly onto the legitimate banking page—these overlays are pixel-perfect replicas of the real login interface, positioned exactly where you expect the legitimate form to appear. As you type your username, password, security questions, or PIN codes, the trojan captures every keystroke. It simultaneously takes screenshots of your banking session, records your mouse movements, and in some variants, can even simulate mouse clicks and keyboard input to navigate through banking interfaces on your behalf. This allows attackers to conduct fraudulent transactions in real-time while you're still logged in.

Beyond banking credential theft, Grandoreiro monitors your clipboard for copied credit card numbers, cryptocurrency wallet addresses, or authentication codes. Some variants include features to bypass two-factor authentication by capturing SMS codes or authentication app tokens through screen capture. The malware communicates with its control servers through encrypted channels, sending stolen data in near-real-time while also downloading updates to its bank target lists and new overlay templates. It employs multiple anti-analysis techniques including detecting virtual machines, sandboxes, and debugging tools, which can cause it to remain dormant or terminate itself if it suspects it's being analyzed rather than running on a real victim's machine.

The trojan establishes deep persistence on your system by injecting its code into legitimate Windows processes like explorer.exe or svchost.exe, making it difficult to identify and remove. It creates multiple registry keys to ensure it starts with Windows and may install itself as a scheduled task that re-executes periodically even if the main process is killed. Typical filesystem artifacts for Grandoreiro variants include randomly-named folders in user directories containing DLL files and encrypted configuration data:

Typical Grandoreiro Filesystem Artifacts
%APPDATA%\[Random GUID]\ client.dll ← Main trojan DLL config.dat ← Encrypted configuration with bank targets log.tmp ← Captured keystrokes and data %LOCALAPPDATA%\[RandomName]\ loader.exe ← Persistence component update.dll ← Module downloader Registry persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Random name] = C:\Users\[User]\AppData\...\loader.exe Scheduled task: \Microsoft\Windows\[Random name] ← Executes every login or hourly Injected processes: explorer.exe ← DLL injection detected svchost.exe ← Possible DLL injection

Manual Removal — Step by Step

01

Immediately Disconnect From Internet and Alert Financial Institutions

Before attempting removal, physically disconnect your computer from the internet by unplugging the ethernet cable or disabling Wi-Fi. This prevents the trojan from sending any additional stolen data or receiving commands. Immediately call all banks, credit card companies, and financial services you use from a different device (your phone) and inform them of the suspected compromise. Ask them to flag your account for unusual activity and consider placing temporary holds on large transactions until you've confirmed your system is clean.

02

Boot Into Safe Mode with Networking

Restart your computer and boot into Safe Mode with Networking. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and select option 5 for Safe Mode with Networking. Safe Mode loads only essential system drivers and services, preventing most malware (including Grandoreiro's main components) from executing, making removal safer and more effective.

03

End Suspicious Processes and Check for DLL Injection

Open Task Manager (Ctrl+Shift+Esc) and look for unfamiliar processes, especially those with random names or consuming unusual amounts of memory. Grandoreiro often runs from %APPDATA% or %LOCALAPPDATA% directories. Use Process Explorer (from Microsoft Sysinternals) if available to check explorer.exe and svchost.exe processes for loaded DLLs from suspicious locations—these indicate process injection. Terminate any suspicious processes, though note that in Safe Mode, many malicious processes won't be running anyway.

04

Remove Registry Persistence Entries

Open Registry Editor (type regedit in the Start menu) and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries with random names or pointing to executables in %APPDATA% or %LOCALAPPDATA% folders. Delete any suspicious entries. Also check HKEY_CURRENT_USER\Software for folders with random GUID names or suspicious software names you don't recognize—these may contain trojan configuration data.

05

Delete Scheduled Tasks Created by the Trojan

Open Task Scheduler (search for it in the Start menu) and review the task list under Task Scheduler Library. Grandoreiro creates scheduled tasks with random names that execute hourly or at logon. Look for tasks that run executables from %APPDATA% or %LOCALAPPDATA% directories, particularly those with random folder names or GUIDs. Delete any suspicious tasks—legitimate Windows tasks are well-documented and typically have Microsoft as the author.

06

Locate and Delete the Malware Folders

Open File Explorer and enable viewing of hidden files (View tab → Hidden Items checkbox). Navigate to C:\Users\[YourUsername]\AppData\Roaming and C:\Users\[YourUsername]\AppData\Local. Look for folders with random names, GUID-style names (like {8F3D2A1B-4C5E-...}), or unfamiliar software names. Before deleting, note the folder path to compare against registry entries you found earlier. Delete the entire folder containing the trojan files. Also check your Downloads folder and Temp folder (type %TEMP% in File Explorer) for recently downloaded MSI files or suspicious archives.

07

Run Comprehensive Anti-Malware Scans

While still in Safe Mode with Networking, download and run Malwarebytes (from malwarebytes.com using a clean device or after reconnecting briefly). Let it perform a full system scan, which will detect Grandoreiro components and other potentially unwanted programs. Also run a scan with your existing antivirus if installed. Banking trojans often install alongside other malware, so comprehensive scanning is essential. Follow prompts to quarantine and delete all detected threats.

08

Reset Browser Settings and Clear Saved Data

Grandoreiro may have modified browser settings or installed malicious extensions. Open each browser you use (Chrome, Firefox, Edge) and reset it to default settings (found in browser settings under Advanced or Privacy sections). Remove any unfamiliar extensions. Clear all cached data, cookies, and especially saved passwords since the trojan may have already captured these. After cleaning your system, you'll need to re-enter passwords manually—do this only after confirming the malware is gone.

09

Change All Financial Passwords From a Clean Device

Do not change passwords on the infected computer until you're absolutely certain it's clean. Use a different device (smartphone, tablet, or another computer) to change passwords for all banking accounts, credit cards, email accounts (especially the one associated with financial accounts), and any other sensitive services. Enable two-factor authentication on every account that offers it. Consider using a password manager going forward to generate and store unique passwords for each service.

10

Reboot Normally and Verify System Integrity

Restart your computer normally (not in Safe Mode) and monitor its behavior carefully. Check Task Manager for unusual processes, verify that the deleted registry entries haven't returned, and confirm that scheduled tasks remain removed. Run one more full scan with Malwarebytes and your antivirus. Test your internet connection carefully by visiting non-financial websites first. Monitor your bank accounts daily for the next several weeks for any unauthorized transactions. If you notice any suspicious behavior recurring, the infection may not be fully removed—professional assistance is recommended at this point.

Prevention

  1. Treat all unexpected emails with extreme suspicion, especially those claiming to be from government agencies, banks, or shipping companies with urgent requests or attachments. Legitimate institutions don't send unsolicited attachments or ask you to download files to resolve account issues. When in doubt, contact the organization directly using phone numbers from their official website, not from the email.
  2. Never open email attachments with executable extensions (.exe, .msi, .scr, .bat, .cmd, .com) even if they appear to come from known contacts—email accounts are frequently compromised. Be especially wary of ZIP archives from unknown senders. Enable the "File name extensions" view in Windows Explorer so you can see full file names including double extensions like "document.pdf.exe" that disguise executables as documents.
  3. Keep Windows and all software updated with the latest security patches. Enable automatic updates for Windows, your browser, Adobe Reader, Java, and other commonly exploited software. Uninstall programs you no longer use, particularly Java and Adobe Flash Player (now obsolete)—these were common attack vectors for banking trojans.
  4. Use a reputable antivirus solution with real-time protection and keep it updated. While traditional antivirus alone may not catch zero-day variants of Grandoreiro, it provides essential baseline protection against known threats and suspicious behavior. Consider supplementing with Malwarebytes Premium for additional anti-exploit protection specifically designed to stop banking trojans.
  5. Download software only from official sources—never from pop-up ads, search engine results labeled as ads, or third-party download sites. Be especially cautious with "free" versions of paid software, PDF readers, or video codecs offered on unfamiliar websites. These are common malware delivery mechanisms. Always navigate directly to the software developer's official website.
  6. Monitor your banking accounts regularly and enable transaction alerts via text or email for all financial accounts. The sooner you detect fraudulent activity, the better your chances of recovery. Most banks offer real-time notifications for transactions above a certain threshold—enable these and set the threshold low enough to catch unauthorized activity quickly.
  7. Use a dedicated computer or virtual machine for online banking if your finances justify the extra precaution. A hardened system used exclusively for financial transactions and never for general web browsing, email, or software downloads significantly reduces exposure to banking trojans. Alternatively, consider doing banking only on mobile devices with up-to-date operating systems, which are less frequently targeted by Grandoreiro.
  8. Be skeptical of unexpected phone calls claiming to be from your bank, especially if they request remote access to your computer or ask you to download software. Banking trojans are increasingly distributed through "tech support scam" call centers that convince victims to install the malware themselves. Banks will never ask for remote access or instruct you to download software.
Our Malware Removal Guarantee: When you bring a Grandoreiro infection to Computer Repair Roswell, we perform comprehensive malware removal including rootkit detection, registry cleaning, and verification that all persistence mechanisms are eliminated. We back our work with a 90-day warranty—if the same malware returns within 90 days, we'll remove it again at no additional charge. Banking trojans are too serious to handle with half-measures.

Bring It In

Banking trojans like Grandoreiro require professional-grade removal techniques that go beyond what typical antivirus software can provide. The risk of incomplete removal is simply too high when your financial security is at stake—a single missed persistence mechanism or hidden DLL can allow the trojan to reinstall itself and continue harvesting credentials. At Computer Repair Roswell, we've handled hundreds of banking malware cases and understand exactly where these trojans hide, how they persist, and what's required to eliminate them completely. We use specialized forensic tools to detect rootkits, analyze process injection, and verify that every trace is removed before returning your system to you.

Located right here in Roswell at 1910 Willeo Creek Dr, we're your local experts for malware emergencies. We offer same-day service for critical infections like banking trojans—we understand that every hour counts when your financial accounts may be compromised. Call us at (770) 679-9864 to schedule an appointment or if you need immediate guidance on securing your accounts. Bring your infected computer to our shop, and we'll not only remove the malware completely but also help you strengthen your defenses against future attacks. Your financial security is too important to leave to chance.