A Brazilian threat actor is targeting Portuguese fiscal institutions with information-stealing malware as part of a very long-working marketing campaign that commenced in 2021.
“The attackers can steal credentials and exfiltrate users’ details and individual details, which can be leveraged for destructive pursuits over and above economic obtain,” SentinelOne scientists Aleksandar Milenkoski and Tom Hegel stated in a new report shared with The Hacker News.
The cybersecurity company, which started tracking “Operation Magalenha” previously this calendar year, mentioned the intrusions culminate in the deployment of two variants of a backdoor known as PeepingTitle so as to “optimize attack efficiency.”

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The inbound links to Brazil stem from the use of the Brazilian-Portuguese language in just the detected artifacts as effectively as supply code overlaps with another banking trojan recognized as Maxtrilha, which was to start with disclosed in September 2021.
PeepingTitle, like Maxtrilha, is created in the Delphi programming language and is outfitted to grant the attacker comprehensive regulate over the compromised hosts as well as capture screenshots and fall added payloads.
The attack chains commence with phishing email messages and rogue internet websites hosting bogus installers for preferred software package that are engineered to launch a Visible Fundamental Script liable for executing a malware loader. The loader subsequently downloads and executes the PeepingTitle backdoors.
PeepingTitle displays users’ web searching activity, and if a browser tab matching one of the goal economic establishments is opened, it exfiltrates monitor captures and levels additional malware executables from a remote server.
This is attained by evaluating the window title to a predefined set of strings related to qualified businesses, but not before transforming it into lowercase string san any whitespace characters.
Future WEBINARZero Rely on + Deception: Master How to Outsmart Attackers!
Find out how Deception can detect highly developed threats, halt lateral motion, and increase your Zero Have confidence in approach. Sign up for our insightful webinar!
Help save My Seat!
“With the to start with PeepingTitle variant capturing the complete display screen, and the second capturing just about every window a user interacts with, this malware duo offers the danger actor with a thorough perception into consumer activity,” the researchers stated.
An vital component of Magalenha is the change from DigitalOcean and Dropbox in 2022 to Timeweb Cloud, a Russian cloud service service provider that has a much more lenient method in direction of infrastructure abuse, for malware hosting and command-and-command.
“Procedure Magalenha signifies the persistent mother nature of the Brazilian menace actors,” the researchers stated. “These groups stand for an evolving danger to businesses and persons in their goal international locations and have demonstrated a consistent potential to update their malware arsenal and techniques, allowing them to stay powerful in their campaigns.”
“Their ability to orchestrate attacks in Portuguese- and Spanish-talking nations in Europe, Central, and Latin The us implies an comprehension of the community financial landscape and a willingness to make investments time and assets in establishing qualified strategies.”
Identified this post attention-grabbing? Stick to us on Twitter and LinkedIn to go through much more exclusive information we post.
Some areas of this post are sourced from:
thehackernews.com