Beware of malware disguised as Endesa: Grandoreiro campaign unleashed

by Lorraine Williamson

In a recent press release, the Oficina de Seguridad del Internauta (OSI) has alerted the public to a widespread distribution of malware, specifically the Grandoreiro Trojan, disguising itself as communications from Endesa.

This phishing campaign aims to exploit unsuspecting recipients by tricking them into executing a malicious code hidden within a seemingly innocent compressed file.

Affected resources

Individuals who have received the described email, clicked on the embedded link, and executed the attached file are at risk.


The OSI has identified a malicious campaign distributing malware through phishing techniques, masquerading as Endesa. The fraudulent email falsely claims that the recipient can now pay their attached bill, presented as a compressed .zip file. However, this file is, in reality, an executable .msi carrying malicious code.


If you have received the email but haven’t clicked on the link, mark it as spam or unwanted mail. Furthermore, it’s advisable to remove it from your inbox as well.

If you have downloaded the file but haven’t executed it, navigate to your download folder and delete it. Additionally, clear it from the recycle bin.

If you have executed the file, your device may be infected. Follow these guidelines:

  1. Disconnect your device from the home network to prevent malware spread.
  2. Employ an antivirus tool to perform a thorough malware scan. However, if the infection persists, consider formatting or resetting your device, keeping in mind that this action erases stored information. Furthermore, regular backups are highly recommended.
  3. Collect evidence, such as screenshots, and, if necessary, preserve the received email to file a complaint with the police. Online witnesses and certified proof can strengthen your case.

Learn to prevent such attacks and similar situations by following the guidelines and recommendations of OSI.

ASSSA - health insurance in Spain


The malware distribution campaign involves sending fraudulent phishing emails, impersonating Endesa, to prompt users into executing the Grandoreiro malicious code on their devices.

The email urges users to download their overdue monthly bill, exploiting social engineering techniques for added credibility. The specific period referenced is between November 30 and December 31, 2023.

Cybercriminals aim to trick recipients into downloading the alleged compressed invoice. Upon extraction, the file contains an .msi program embedded with the Grandoreiro malware. However, executing this file infects the victim’s device.

Below is an example of a received email, with the subject line: ‘Área cliente – Ya puede descargar su factura Nº. [invoice number].’

Malware Endesa

Clicking the link redirects users to a webpage where the compressed file is downloaded. This file, typically stored in the user’s default download folder, harbours the Grandoreiro Trojan. If executed, the victim’s device becomes infected, potentially leading to the theft of personal information.

VirusTotal analysis confirms the presence of the Grandoreiro banking Trojan in the file, emphasising the severity of this cybersecurity threat.

Also read: Air Europa cyber attack

You may also like