Operation Magalenha Attacks Give a Window Into Brazils Cybercrime Ecosystem

A campaign against customers of Portuguese banks uses a capable financial malware strain dubbed PeepingTitle, written in the Delphi programming language.

Earlier this year, threat actors carried out a campaign to steal the personal and financial information of customers of Portuguese banks, including private and government and institutions.
Researchers from SentinelLabs branded it Operation Magalenha, in
a report published the morning of May 25
. Magalenha is notable both for its payload, PeepingTitle — a multifunctional backdoor written in the Delphi programming language — and its scattershot approach to cyber espionage.
The researchers assessed with high confidence that Magalenhas perpetrators were Brazilian, as evidenced by their use of Brazilian-style Portuguese in their code, as well as PeepingTitles overlaps with the Brazilian
Maxtrilha malware family
.
Altogether, the campaign provides a window into the
ecosystem of cybercrime in Brazil today
.
That region is generally underreported or missed throughout the security industry, says Tom Hegel, senior threat researcher at SentinelOne, but theres a lot going on. Its a very messy ecosystem of threat actors.
Operation Magalenha was indiscriminate in its first phase, utilizing phishing emails, malicious websites with fake app installers, and
related forms of social engineering
in order to lure in targets. Infection then began when targets unwittingly executed a malicious Visual Basic script.
The script did triple duty. On one hand, it opened login pages for Energias de Portugal and the Portuguese Tax and Customs Authority, with the purpose of drawing attention away from its second function: dropping a malware loader. If a victim actually entered their Energias or Customs credentials — in the latters case, often government-issued credentials — the program harvested them for future use.
Next, the malware loader would download PeepingTitle, an info-stealing backdoor written in Delphi. Delphi is a general purpose programming language that one rarely hears much about in cyber circles up north.
Its funny you mention that, Hegel says, when the topic comes up. When we first started looking into this campaign, knowing it was linked to Brazil, we were immediately like: Its probably Delphi. There isnt any identifiable technical reason for Delphis relatively localized popularity, Hegel thinks. A lot of its just because of the way that education is done there, because everyone out in that region tends to know it.
The Delphi-driven PeepingTitle works by tracking the websites a victim has visited. If someone visited a domain belonging to a Portuguese financial institution, the malware awakens: connecting to a C2 server, taking screenshots, exfiltrating data, and potentially staging further malware.
In general, Hegel says, its on par with what you expect of a normal financial malware. It purely focuses on being able to get this data outbound and limit detection as much as possible.
That said, Magalenha targeted both personal and financial data from individuals and institutions alike in the government and private sectors. So theres more than just your regular financial theft — there are clues to ulterior objectives that they may be pursuing, like initial access brokering, Hegel adds.
Also notable about PeepingTitle is that it comes in two variants. But the variants have hardly any meaningful difference between them, besides the fact that one captured a victims browser window, while the other captured the entire screen. Hegel thinks it may indicate that the attackers evolved to add second capabilities later on, or its just purely experimentation.
I think this points to the fact that its not extremely well planned out, he adds.
Besides the alike variants, he points to other evidence of the hackers lack of discipline, like their experimentation with different infrastructure — swapping American provider DigitalOcean for a more lax Russian service, TimeWeb, for instance — and the relatively unfocused nature of their information stealing.
If this was somebody more capable, Hegel concludes, they might go through the process of thinking about what they want to connect to and steal, and do it in a single package rather than multiple packages, which increases the potential of getting caught. Instead, theres just a lot of experimenting, a lot of playing, and not a lot of deep, strategic planning.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Operation Magalenha Attacks Give a Window Into Brazils Cybercrime Ecosystem