While WatchGuard and ESET reports highlight Grandoreiro's DLL side-loading against Portuguese banks and BTMOB's Android RAT features, the deeper pattern reveals how these campaigns weaponize trusted services like Mediafire and WebRTC to target ordinary consumers rather than just institutions. Grandoreiro, active since 2016 despite 2024 Brazilian disruptions, now blends STUN/ICE protocols with CAPTCHA evasion to blend into video call traffic, a tactic that evades perimeter defenses and directly harvests credentials from users of Revolut, Wise, and regional banks. BTMOB's APK builder and PIN-capture upgrades extend this risk to mobile users in Brazil, enabling automated credential theft on open apps. Kaspersky's October 2024 analysis of overlapping phishing chains was missed in current coverage, showing how financially motivated groups reuse infrastructure across regions. This creates immediate personal risk as malware silently drains accounts from millions of Windows and Android devices without corporate safeguards. Connections to broader surveillance trends emerge as P2P WebRTC abuse mirrors state-level traffic obfuscation techniques, though here driven purely by profit. Surface-level antivirus fails against such layered anti-analysis, forcing reliance on behavioral monitoring that most users lack.