North Korean Hackers Target Brazilian Fintech with Sophisticated Phishing Tactics


Since 2020, threat actors linked to North Korea have accounted for one-third of all phishing activity targeting Brazil, as the country’s growing influence has attracted the attention of cyber espionage groups.

“North Korean government-backed actors have targeted the Brazilian government and Brazil’s aerospace, technology, and financial services sectors,” according to a joint report by Google’s Mandiant and Threat Analysis Group (TAG) published this week.

These attackers, similar to their interests in other regions, have particularly focused on cryptocurrency and financial technology firms, with at least three North Korean groups targeting Brazilian cryptocurrency and fintech companies.

Prominent among these groups is a threat actor tracked as UNC4899 (also known as Jade Sleet, PUKCHONG, and TraderTraitor), which has targeted cryptocurrency professionals with a malware-laced trojanized Python app. Their attack strategy involves contacting potential targets via social media and sending a benign PDF document containing a job description for an alleged job opportunity at a well-known cryptocurrency firm. If the target expresses interest, the attacker follows up with a second harmless PDF document with a skills questionnaire and instructions to download a project from GitHub.

“The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to connect to an attacker-controlled domain to retrieve a second-stage payload if specific conditions were met,” said researchers from Mandiant and TAG.

UNC4899 has previously employed this approach, notably in the 2023 JumpCloud hack. In July 2023, GitHub warned of a social engineering attack aimed at tricking employees in blockchain, cryptocurrency, online gambling, and cybersecurity companies into executing code hosted in a GitHub repository using bogus npm packages.

Job-themed social engineering campaigns are a recurring tactic among North Korean hacking groups. Google also identified a campaign by a group it tracks as PAEKTUSAN, which delivered a C++ downloader malware called AGAMEMNON via Microsoft Word attachments embedded in phishing emails.

“In one instance, PAEKTUSAN impersonated an HR director at a Brazilian aerospace firm and sent phishing emails to employees at another Brazilian aerospace firm,” the researchers noted, highlighting campaigns consistent with long-running activity tracked as Operation Dream Job. In another campaign, PAEKTUSAN posed as a recruiter at a major U.S. aerospace company, reaching out to professionals in Brazil and other regions about prospective job opportunities.

Google also blocked attempts by another North Korean group, PRONTO, to target diplomats with denuclearization- and news-related email decoys, aiming to trick them into visiting credential-harvesting pages or providing their login information to view a supposed PDF document.

Recently, Microsoft uncovered a new North Korean threat actor, codenamed Moonstone Sleet, targeting individuals and organizations in the software, information technology, education, and defense sectors with ransomware and espionage attacks.

Moonstone Sleet’s tactics include distributing malware through counterfeit npm packages, similar to UNC4899. However, the packages associated with the two clusters show distinct code styles and structures. “Jade Sleet’s packages, discovered in summer 2023, were designed to work in pairs, published by separate npm user accounts to distribute their malicious functionality,” explained Checkmarx researchers Tzachi Zornstein and Yehuda Gelb. “In contrast, the packages published in late 2023 and early 2024 adopted a more streamlined single-package approach, executing its payload immediately upon installation. In the second quarter of 2024, the packages increased in complexity, with added obfuscation and targeting of Linux systems.”

Despite these differences, both tactics exploit the trust users place in open-source repositories, broadening the reach of the threat actors and increasing the chances of their malicious packages being installed by unsuspecting developers.

The disclosure is significant as it marks an expansion of Moonstone Sleet’s malware distribution mechanism, which previously relied on spreading bogus npm packages through LinkedIn and freelancer websites. Additionally, a new social engineering campaign by the North Korea-linked Kimsuky group was discovered, where they impersonated Reuters to target North Korean human rights activists with information-stealing malware disguised as an interview request, according to Genians.