North Korean Hackers Target Brazilian Fintech with Sophisticated Phishing Tactics

North Korean Hackers Target Brazilian Fintech with Sophisticated Phishing Tactics



Threat actors linked to North Korea have accounted for one-third of all the phishing activity targeting Brazil since 2020, as the country's emergence as an influential power has drawn the attention of cyber espionage groups.

"North Korean government-backed actors have targeted the Brazilian government and Brazil's aerospace, technology, and financial services sectors," Google's Mandiant and Threat Analysis Group (TAG) divisions said in a joint report published this week.

"Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies."

Prominent among those groups is a threat actor tracked as UNC4899 (aka Jade Sleet, PUKCHONG, and TraderTraitor), that has targeted cryptocurrency professionals with a malware-laced trojanized Python app.

The attack chains involve reaching out to potential targets via social media and sending a benign PDF document containing a job description for an alleged job opportunity at a well-known cryptocurrency firm.

Should the target express interest in the job offer, the threat actor follows it up by sending a second harmless PDF document with a skills questionnaire and instructions to complete a coding assignment by downloading a project from GitHub.

Threat actors linked to North Korea have accounted for one-third of all the phishing activity targeting Brazil since 2020, as the country's emergence as an influential power has drawn the attention of cyber espionage groups.

"North Korean government-backed actors have targeted the Brazilian government and Brazil's aerospace, technology, and financial services sectors," Google's Mandiant and Threat Analysis Group (TAG) divisions said in a joint report published this week.

"Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies."

Prominent among those groups is a threat actor tracked as UNC4899 (aka Jade Sleet, PUKCHONG, and TraderTraitor), which has targeted cryptocurrency professionals with a malware-laced trojanized Python app.

The attack chains involve reaching out to potential targets via social media and sending a benign PDF document containing a job description for an alleged job opportunity at a well-known cryptocurrency firm.

Should the target express interest in the job offer, the threat actor follows it up by sending a second harmless PDF document with a skills questionnaire and instructions to complete a coding assignment by downloading a project from GitHub.