Keypoints
- Operation Magalenha is a protracted campaign attributed to a Brazilian threat group targeting users of Portuguese financial and government services.
- Initial delivery relies on obfuscated VBScript, likely distributed via EDP- and AT-themed phishing emails that open TinyURL links to legitimate login pages as a decoy.
- The VBScript downloads an archive to %PUBLIC%, extracts a loader, and executes it after a delay; the loader then retrieves and runs two Delphi backdoor variants collectively called PeepingTitle.
- PeepingTitle implements persistence via the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun registry key and includes Brazilian-Portuguese string artifacts.
- The two PeepingTitle variants monitor window titles and top-level windows, capture screenshots, terminate processes, and can stage or download additional malware (PEs and DLLs executed via rundll32).
- Exfiltration and C2 communications are encrypted; one C2 channel registers host metadata and window titles, a separate C2 receives screenshots.
- Infrastructure evolved from DigitalOcean Spaces and Dropbox to Timeweb Cloud S3 and dedicated IPs (e.g., 193.218.204[.]207) to reduce disruption from stricter anti-abuse IaaS providers.
MITRE Techniques
- [T1566] Phishing – Delivery via targeted emails themed around Energias de Portugal and the Portuguese Tax Authority to lure users into executing malicious scripts (‘delivering the scripts through EDP- and AT-themed phishing emails’).
- [T1059.005] Command and Scripting Interpreter: Visual Basic – Attack chain begins with execution of obfuscated VBScript that downloads and runs a loader (‘execution of a malicious VB script… download and execute a malware loader’).
- [T1027] Obfuscated Files or Information – VBScript evades detection by embedding malicious code among large quantities of pasted code comments (‘VB scripts are obfuscated such that the malicious code is scattered among large quantities of code comments’).
- [T1105] Ingress Tool Transfer – The malware loader retrieves and executes two PeepingTitle backdoor variants from attacker-controlled hosting (‘The malware loader subsequently downloads and executes the PeepingTitle backdoors.’).
- [T1547.001] Registry Run Keys/Startup Folder – PeepingTitle establishes persistence by modifying the Run registry key (‘establishing persistence by editing the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun registry key’).
- [T1113] Screen Capture – Backdoors capture screenshots of the entire screen and of individual top-level windows to harvest credentials and PII (‘PeepingTitle can take screenshots of the entire screen.’ / ‘takes a screenshot of this window whenever the user changes it’).
- [T1218.011] Signed Binary Proxy Execution: rundll32 – Supports executing staged DLLs and PE images using rundll32 for payload execution (‘supports the execution of Windows PE images and DLL files using the rundll32 Windows utility’).
- [T1102] Web Service – Abuse of public cloud storage and web services (DigitalOcean Spaces, Dropbox, Timeweb Cloud S3) for malware hosting and download locations (‘abusing DigitalOcean Spaces… Timeweb Cloud S3 object storage… Dropbox’).
- [T1041] Exfiltration Over Command and Control – Encrypted exfiltration of host metadata, window titles, and screenshots to C2 servers (‘connects to a C2 server, and exfiltrates data in an encrypted form’).
Indicators of Compromise
- [Shortened URLs] phishing redirects used as decoys – https://tinyurl.com/edpmobilecliente, https://tinyurl.com/miareapersonal
- [SHA1 Hashes] samples and script hashes – dff84020be1f4691bed628d300df8a8b12a4de7e, 001334b045e0d1e28c260380f24c1fa072cb12eb, and 100+ additional SHA1 hashes listed in the report
- [IP Addresses / C2] attacker-controlled servers and open directories – 193.218.204[.]207 (Timeweb-associated C2 with open directories), 128.199.228[.]142 (historical hosting)
- [Cloud object URLs] malware hosting locations – http://s3.timeweb.com/41907bc4-clarentis/Steam.cpp, https://audaction.fra1.digitaloceanspaces.com/pass/alma32.cdr (DigitalOcean buckets), and many more hosted object URLs
The technical infection chain begins with themed phishing that delivers an obfuscated VBScript; executing the script opens decoy TinyURL links to legitimate EDP/AT login pages while downloading an archive into %PUBLIC%, extracting a malware loader, deleting the archive, and executing the loader after a short delay. The loader retrieves two Delphi backdoor binaries (PeepingTitle variants) from attacker-hosted locations and launches them to establish a foothold.
On execution, PeepingTitle performs environment checks (e.g., probing for wine_get_version), establishes persistence by writing to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun, and contains Brazilian-Portuguese string artifacts. One variant inspects window titles at intervals (transforming titles to lowercase/trimmed strings) and registers the host by exfiltrating timestamp, machine name, and captured window titles to a C2; the other variant registers host metadata (including volume serial numbers) and captures top-level window screenshots whenever the active window changes. Both variants can take full-screen screenshots, terminate processes, reconfigure runtime parameters (monitoring interval, screenshot scale), and stage or download additional malware for execution.
Execution of staged payloads supports Windows PE and DLL formats executed via rundll32, enabling flexible follow-on actions including overlays to defeat MFA and further data exfiltration. Infrastructure for hosting and C2 evolved from abused DigitalOcean Spaces and Dropbox links to Timeweb Cloud S3 buckets and dedicated IPs (e.g., 193.218.204[.]207) to reduce disruption; the campaign uses numerous hosted object URLs and many SHA1-identified samples and scripts for distribution and C2.