Google TAG and Mandiant synthesize Brazil’s cyber threat landscape as a mix of global espionage and domestic crime, with government-backed phishing and malware campaigns targeting Brazilian users and critical sectors. The report also highlights extortion and cloud-service abuse campaigns that compromise Brazilian entities, alongside shifts in attacker focus and the country’s unique digital ecosystem. #Astaroth #UNC4899
Keypoints
- Brazil faces a combined threat landscape of global cyber espionage groups (PRC, NK, Russia) and a domestic cybercriminal market shaping attacks against government, energy, finance, and other sectors.
- PRC-linked groups have targeted Brazilian government organizations and energy sectors, using phishing and malware with exploits like CVE-2022-41352 in campaigns targeting state governments.
- North Korean actors have focused on Brazil’s government, aerospace/defense, and cryptocurrency/fintech sectors, employing social-media outreach and trojanized apps to deliver malware such as URSA and AGAMEMNON.
- Russian activity targeting Brazil has diminished since the start of the Ukraine war, with APT28 accounting for the vast majority of phishing activity in recent years but reduced engagement thereafter.
- Brazil’s cybercrime ecosystem is highly localized, with Portuguese-language communities that trade in access, RATs, credentials, and payment data, often using informal mentorship and social platforms to recruit.
- Financially motivated campaigns include GoPix/Goog Cloud abuse and PINEAPPLE’s use of cloud services (Cloud Run/Functions, GCE) to host credential-phishing pages and drop malware like Astaroth; these efforts have seen mitigations reduce campaign volume.
MITRE Techniques
- [T1566.001] Phishing – Government-backed phishing activity targeting Brazil. “Since 2020, cyber espionage groups from more than a dozen countries have targeted users in Brazil; however, more than 85% of government-backed phishing activity is concentrated among groups from the PRC, North Korea, and Russia.”
- [T1566.003] Phishing via social media – North Korean PUKCHONG targeted cryptocurrency professionals via social media outreach with benign PDFs before delivering malicious payloads. “PUKCHONG reached out to targets via social media and sent a benign PDF containing a job description for an alleged job opportunity at a well known cryptocurrency firm.”
- [T1059.005] Command and Scripting Interpreter – VBScript/HTA used by URSA distribution, with HTA dropping a VBS payload. “HTA files drop a VBS file that connects to a C2 and downloads a second stage VBS file.”
- [T1105] Ingress Tool Transfer – Downloading second-stage payloads from C2 after initial delivery. “drops a VBS file that connects to a C2 and downloads a second stage VBS file.”
- [T1204.002] User Execution – Malicious LNK files dropped in PINEAPPLE campaigns. “Malicious LNK dropped in PINEAPPLE campaigns.”
- [T1566.001] Phishing – Spearphishing with encrypted ZIP attachments (PRC campaigns) to exploit targets. “phishing emails contained links to an encrypted ZIP archive … to exploit CVE-2022-41352.”
Indicators of Compromise
- [File Name] – Question Sheet.pdf, and 2 more files associated with PINEAPPLE campaigns. Question Sheet.pdf – e9841e5c218611add64c07b6d6e8b2f2a899ee32da2bb0326238b332f34bd045
- [File Name] – 0tiukr.verdelimp.com518.429006.45528.lnk – 38fad88f0fefb385fdfba2e0be28a1fe6302387bc4a0a9f8b010cca09836361d
- [File Name] – NFe92759625212697.115112.62531.lnk – 57a0a64ff7d5ca462fe18857f552ab186d118a80ecad741be62ee16e500ac424
- [Domain] verdelimp.com — domain associated with PINEAPPLE’s social engineering campaigns
- [Domain] cloudfunctions.net — used in PINEAPPLE campaigns to host landing pages
- [Domain] run.app — used in PINEAPPLE campaigns as part of Cloud Run infrastructure
Read more: https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil/