A new campaign utilizing the Brazilian stealer Grandoreiro has been detected targeting Spain and Latin American countries. The malware, active since 2017, aims to steal sensitive information, including banking credentials and personal data. It employs advanced evasion techniques such as string encryption and anti-sandbox measures. The campaign distributes Grandoreiro through phishing emails containing VBS files. Once executed, it performs various checks to evade detection and uses legitimate services for geolocation and DNS resolution. The report provides detailed insights into the malware's behavior and explains the string obfuscation and decryption techniques used in this campaign.