A Brazilian hacking crew has recently targeted more than 30 Portuguese financial institutions in an ongoing campaign called Operation Magalenha, according to a report by SentinelLabs.
The operation initially relied on cloud service providers like DigitalOcean and Dropbox but later shifted to the Russia-based web hosting provider TimeWeb due to tightened rules by the previous providers. The attacks primarily occurred last month, although the campaign started earlier this year.
The Brazilian cybercriminal underground has a long history, with sophisticated hacking groups from Brazil collaborating with malware developers abroad, particularly in Eastern Europe and Russia.
Brazil has remained a hub for financially-focused malware, including the infamous “Tetrade” banking trojans identified by Kaspersky researchers in 2020. Operation Magalenha exemplifies the persistent nature of Brazilian threat actors and their ability to continually update their malware arsenal and tactics.
This campaign is part of a broader trend of financially motivated hacking efforts that emerged in 2021. Operation Magalenha employs a pair of backdoors known as “PeepingTitle,” which grant the attackers control over compromised machines.
With these backdoors, the attackers can monitor window interaction, capture unauthorized screenshots, terminate processes, and deploy additional malware, including data exfiltration tools.
The ability of these hackers to orchestrate targeted attacks in Portuguese and Spanish-speaking countries across Europe, Central, and Latin America highlights their understanding of the local financial landscape and their commitment to developing sophisticated campaigns.
