Cybercriminals are reviving the Grandoreiro banking trojan, targeting users in Latin America and Europe through large-scale phishing campaigns. The malware is distributed via emails impersonating tax agencies, leading victims to download malicious payloads from Contabo-hosted servers and Mediafire. The attack chain involves obfuscated VBS scripts and a Delphi-based EXE that steals credentials and connects to a C2 server. The campaign employs dynamic URLs, social engineering, and various obfuscation techniques to evade detection. Users in Mexico, Argentina, and Spain are primary targets, with the malware searching for Bitcoin wallet directories and system information. Frequent changes to subdomains under contaboserver[.]net are used to avoid detection.