Brazilian hackers target Portuguese financial institutions

The sophisticated hacking effort is the latest in a long line of financially motivated malware campaigns emanating from Brazil.
(Photo by CARL DE SOUZA/AFP via Getty Images)

A Brazilian hacking crew targeted users of more than 30 Portuguese financial institutions earlier this year in a campaign that provides the latest example of potent, financially motivated hackers in Brazil hitting targets outside the country’s borders, according to a report released Thursday by SentinelLabs.

The ongoing campaign — dubbed Operation Magalenha — initially relied on cloud service providers like DigitalOcean and Dropbox, but as these firms have tightened rules on how their services are used, the operation has pivoted to the Russia-based web hosting provider TimeWeb, researchers Aleksandar Milenkoski and Tom Hegel said in a report released Thursday. The operation began at the start of this year, but the bulk of the attacks took place last month.

The Brazilian malware ecosystem has a rich history, first catching the attention of the information security industry nearly a decade ago as increasingly sophisticated hacking groups based in Brazil carried out operations together with malware developers based abroad, including in Eastern Europe and Russia. Brazil continues to be the epicenter of potent financially-focused malware, such as a grouping of four banking trojans dubbed the “Tetrade” by Kaspersky researchers in 2020.

Operation Magalenha illustrates the persistent nature of the Brazilian cybercriminal underground and the evolving threat posed by its threat actors. These groups demonstrate “a consistent capacity to update their malware arsenal and tactics, allowing them to remain effective in their campaigns,” Milenkoski and Hegel write in their report.


Operation Magalenha represents the latest iteration of a broader group of financially motivated hacking efforts that began in 2021, the researchers said.

Its latest iteration relies on a pair of backdoors deployed simultaneously to give the attacker control over infected machines. Dubbed “PeepingTitle,” the backdoors allow the attacker to monitor window interaction, take unauthorized screenshots, terminate processes and deploy additional malware, such as data exfiltration tools.

“Their capacity to orchestrate attacks in Portuguese and Spanish-speaking countries in Europe, Central, and Latin America suggests an understanding of the local financial landscape and a willingness to invest time and resources in developing targeted campaigns,” the researchers conclude.

Latest Podcasts