Regional Threats, Global Impact: A TA2725 Case Study

Show Notes

Hello to all our Cyber Pals! Guest host Sarah Sabotka sits down with Senior Threat Researcher Jared Peck to unpack one of the most dynamic and persistent cybercrime groups operating today: TA2725, also known as “Grana.”

From its roots in Latin America to its global reach, TA2725 stands out for its adaptability—and its relentless pursuit of financial gain. Jared shares how the group evolved from a high-volume malware operator into a multifaceted threat actor running phishing, fraud, and malware campaigns simultaneously. The conversation dives into how Grana targets regions like Brazil and Mexico, why their tactics shift across geographies, and what makes their operations uniquely complex.

You’ll also hear:

• How threat actors “graduate” to official TA designations (and why it’s a big win for researchers)
  
  
  
• The impact of law enforcement disruptions on major malware operations like Grandoreiro
  
  
  
• Why Latin America’s banking infrastructure shapes cybercrime tactics differently
  
  
  
• The rise (and fall) of RMM tools in TA2725’s playbook
  
  
  
• What clues reveal whether activity comes from one group—or an entire cybercrime “service” ecosystem

Whether you’re in cybersecurity or just curious about how modern cybercrime operates, this episode offers a fascinating look at a threat actor that refuses to stay in one lane—and what that means for organizations worldwide.

For more information about Proofpoint, check out our website.

 

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Chapters

• 1:42: Meet TA2725 (“Grana”)
• 2:12: Naming Threat Actors
• 3:10: Evasion & Geofencing
• 3:44: What “Grana” Means
• 3:56: New LATAM Threat Activity
• 5:04: Expanding Beyond Brazil
• 9:03: Cybercrime-as-a-Service?
• 11:10: Experimenting with New Tactics
• 15:16: Law Enforcement Disruption
• 17:27: Why Threats Come Back
• 18:12: RMM Tools Trend
• 21:11: Why Global Companies Are Hit
• 24:07: The Human Side of Threat Actors
• 24:09: Motivation: Money First
• 27:55: New LATAM Threat Activity
• 33:23: Delphi as a Clue
• 33:49: Global Impact of TA2725
• 36:30: The Human Side of Threat Actors

Transcript

SPEAKER_00 0:03

You're listening to Discarded: Tales from the Threat Research Trenches, a podcast by Proofoint for security practitioners. Each episode you'll hear from security researchers, malware analysts, threat hunters, and more as we dive into what's going on in the world of cyber attacks and how defenders safeguard us from threats. Let's get into the show.

SPEAKER_01 0:26

Hello to all our cyberbuds. Get it? Like flower buds? Because we're literally recording this on the Vernal Equinox. I am your host, Sarah Sabatka, staff threat researcher here at ProofPoint. You'll notice I'm flying solo today as host because our beloved Selena Larson is somewhere in the world ruining a cyber criminal's day, but I promise she'll be back on the next episode. Today I am joined by a very special guest and one of my besties, Jared Peck, who is a senior threat researcher here. Jared, you've been on the pod before, but it's been a minute. So let's give the audience a refresher on who you are, what your role is on the team, and a little hint as to what we're going to talk about today.

Meet TA2725 (“Grana”)

SPEAKER_02 1:04

Sure. My name is Jared Peck, been with ProofPoint for coming up on five years now on the threat research team. I have a background in threat intelligence in the private sector, especially in the financial sector. And I'm a big time career changer. I spent 15 years as a paramedic before that. So definitely a change, but a lot of the same logical type of reasoning things definitely fit with uh IT and cybersecurity there. Yeah. And then yeah, here I at Proof Point, I do focus on Latin American threats. So that's uh something that I talked about before, but like you said, we haven't we haven't done it in a while.

SPEAKER_01 1:42

Yep. And your actor, uh specifically T82725, is uh very adaptable. They change a lot.

SPEAKER_02 1:50

Oh yeah, crazy. Definitely. And as as time goes on, we keep finding more and more clusters of activity that don't have a name yet, but working towards it because they have their own distinct techniques and infrastructure and things like that.

SPEAKER_01 2:05

Yeah, it's exciting.

SPEAKER_02 2:07

Yeah, a wide range of things that they like to do for uh for crime.

SPEAKER_01 2:12

Yes, and we'll definitely touch on those today. I think one audience note I want to make is it's like when threat researchers identify a cluster and graduate it to a TA name, it's kind of like the holy grail of threat research. It's like, yes, I got one. It's kind of like catching a Pokemon, I think. So, you know, you get creative with their names, you get you start to see that infrastructure consistency evolve, and it's just it's just exciting. So I'm hoping to get my my holy grail one of these days. I'm so close, so so close.

Evasion & Geofencing

SPEAKER_02 2:43

Yeah, it's I kind of stumbled into it because it was something that found that was kind of a an odd high volume, but it it didn't fully, you know, it it was a little confusing to figure out what it was, and that's mainly because of the uh geofenc other protections they were doing. So in the last five years, I've learned a ton about filtering and geofencing and all those fun, fun topics to try to make it harder for us researchers.

SPEAKER_01 3:10

Yes, and a little bit of Portuguese too, along the way.

SPEAKER_02 3:13

Yeah, I've knew Spanish before quite a bit. I've learned a lot of Portuguese, and actually this fall I'm taking some Portuguese classes at the local college. So really diving headfirst into language.

SPEAKER_01 3:27

You could say it, living and breathing it for sure. Well, let's let's t take a couple steps back. Who is TA2725? And in addition to that, moniker, you also call them grana. So it kind of explain, you know, who they are and and what does grana mean and and why did you choose that?

New LATAM Threat Activity

Expanding Beyond Brazil

SPEAKER_02 3:44

Yeah, so we typically have give actors two names. There's the TA followed by the number sequence that that kind of determines where they fit in the cybercrime or espionage type of landscape. And then we get to make up our own kind of internal personal name for them, and that the personal name usually comes first. So grana is the Spanish, Portuguese, Italian word kind of slang for for cash money. So it really tells appropriate 100% financially motivated, any way that they can make money, so it really fits. And then as time goes on and we can track them, we can explain what they do, how they do it, what their infrastructure looks like, and we have enough information that we can track them, even if that infrastructure or something big changes, then we can graduate them to an official TA. And I was one of the lucky ones that that got to do that. Yes. So TA2725, just in the the proof point hierarchy means either small crime or something that's a little out of the ordinary. And the over time the small crime doesn't really fit, but it's definitely a a niche, say threat actor in most ways that it primarily focuses on Latin America, but they do target Spain and Portugal, and their malware can cover other countries as well.

SPEAKER_01 5:04

Yep. Interesting. Yeah, they're definitely not small crime, I would say. And that's the funny thing, you know, the threat actors, they kinda change, right? They evolve, they change, the the TTPs change, the volumes change. So we might track these clusters as an unk name, like Grana is was your unk name for a little while and see that they are small crime. And then as time goes on, they're they're huge. But we stick with the names, right? So can you give us a little bit of kind of like catch us up on T2725 on their campaigns? I know historically when we first started uh looking at them, they were really targeting Brazil, but they've kind of expanded, right? So what other countries and regions are they targeting and how are they doing that?

SPEAKER_02 5:47

It seems like the focus is on Brazil, uh, which leads, you know, the likely conclusion that they are based out of Brazil and uh native Portuguese speakers, but they target mainly Brazil, but uh Mexico is kind of their second, second largest target, which means that they have people that are have multi-language support, which kind of makes sense in in uh Brazil and South America, where Brazil the primary language is Portuguese, so that's the outlier there and why why Portuguese. So TA2725 is kind of a unique as well because they do both malware and phishing and they use several different malware strains. So a lot of our other threat actors that we track kind of at least for a while, love a single type of malware and use it consistently. But with TA2725, they have changed over time, as you know, they used Gran Doreto in the past, but that had a law enforcement action in early 2024 that disrupted it. And so they they had that's kind of a unique time there where they were experimenting with other malware. So uh Gran Herrero was really the number one malware for quite a while, uh, until that law enforcement action. And then after that, Astaroth has been the number one malware. And both of those are considered banking trojans. They target multiple different banks based in both South America and Europe and North America as well, although that's less targeted. And then they have fishing campaigns as well that target both kind of corporate credentials as well as consumer type things like Netflix or Amazon logins and things like that that they can sell for money. Uh, and then we've seen a few fraud campaigns, which are definitely unique in that they are just using pure social engineering to try to get people to pay things like customs duties or postage due or things like that. And then they're leveraging legitimate payment platforms in South America and getting people to pay them on those legitimate payment platforms, which is is pretty unique as well.

Cybercrime-as-a-Service?

SPEAKER_01 7:55

Yeah, I think TA2725 is one of the more like striking actors, I think, in the cybercrime realm because of their multiple objectives, right? You touched on the malware, uh, we have credential phishing, and last year, I think it was towards the end of the year, starting to see fraud. And those are kind of like the three distinct objectives that we tend to cluster or track threat actors doing. And we don't really see many threat actors crossing over from malware to credfish to fraud until actually kind of this year a little bit. There's more. I know we have another researcher on the team who's tracking a cluster that does malware and fraud or imposter. And you know, Selena's TA4903 has done credfish and BC. So it's really interesting that, you know, TA2725 is such a unique case study because of the malware and credfish and fraud. So they really are super financially motivated and seemingly extremely opportunistic. And so I'm guessing like really just trying to get some sort of financial, make some sort of financial gain, regardless of the objectives or regardless of how they get there.

SPEAKER_02 9:03

Yeah, and that really ties into say what we can figure out from the group itself, because it's it's pretty obvious it's not a single threat actor.

SPEAKER_01 9:12

I was gonna ask, yeah.

SPEAKER_02 9:13

Because of the different malware strains, some of those are considered malware as a service. Some of those are kind of unique to them. The fluores and things like that, even on a single day for the same malware, can be quite different, and then different malware in the same day, which kind of leads to the thought that they may they may themselves be a service providing fishing and malware and fraud as a service type of operations to other, say, less less skilled threat actors.

SPEAKER_01 9:42

Do you have any like feeling about how big they could be? Like how many, like how many people make up TA2725? Or this is just kind of like a wild imagination. Like, um, yeah, I mean, like a ransomware affiliate, you know, like we saw Conti. I mean, that there's like huge operations. So I wonder if you kind of have any gut feeling as to whether TA2725 is kind of like that.

Experimenting with New Tactics

SPEAKER_02 10:07

My guess is probably 20 to 30, but it could, it could obviously be more. Um, and then if you count people that may again were thinking that it's a service, so people that may have bought into the service, that even expands that further. Uh, but just given the rapid pace of development that they do, mainly with the uh droppers that they're using and the different techniques that they're using. So in one single week, uh they were using LNK files, VBS files. Uh, they wrote something in Rust to as a dropper. They use Python and all kinds of other, say maybe lesser known types of of programming languages, things like that. Uh primarily Delphi is the computer language of of choice there. But it's just the rapid pace of development that they have leads me to believe that they have a whole team working on it. Otherwise, somebody is up 24-7, you know, weeks at a time, which is pretty unrealistic.

SPEAKER_01 11:10

Yeah, they really keep you on your toes. I mean, they are busy, busy. Do you is there any sign potentially that they could be using LLMs or some sort of Gen AI to scale and be a force multiplier for bingo words?

SPEAKER_02 11:26

I haven't seen that yet, but they they do play some follow the leader. In the past few months, we've had a few uh RMM campaigns with them. So that was kind of surprising to see. That's one of the few non-homegrown malware that they used, and they were pretty large campaigns, but just like a lot of other things, they they can kind of come and go as they try different things out. And haven't haven't seen that for a bit, but they can always come back because they they operate kind of on their own schedule. I was looking at their activity. And uh when Carnival was happening in Brazil, they had no activity whatsoever. So they were they were out partying. Times of like spring break and summer vacation, they have some lulls of of activity. So, you know, just just drives home the point that these are real people with real lives out there that we're that we're trying to, you know, protect our customers against and people that are not our customers because we assist with international law enforcement, we provide indicators sometimes to others. So it really we're out there to just protect as many people as we can.

SPEAKER_01 12:38

Save the internet, right? Before I I really want to talk about the law enforcement disruption, especially because it affected Grande Arrow. And I want to touch on the RMMs, but before we go there, you mentioned that this group uses some proprietary malware and then some malware as a service. Can you kind of um tease out a little bit what payloads they're using? And I know they use like Astros specifically for Brazil, right? And then others for different regions. Can you kind of organize that a little bit for our listeners?

SPEAKER_02 13:09

Yeah. In in the past, before the disruption, Grande Herrera was the primary malware that they used. And then uh when that law enforcement action went down, there was a huge spike in metamorpho malware, which is another backing trojan. We do see that one occasionally, uh, mainly targeting uh Spanish-speaking countries.

SPEAKER_01 13:29

So not Brazil specifically, but other yeah, typically not Brazil. And then Grande Herrero was other countries or just Brazil.

SPEAKER_02 13:37

The focus from TA2725 was Brazil with it, but uh we know that that malware has triggers for banks uh globally. So, you know, in like 140 countries, it has uh the the possibility to steal banking credentials. So it was a service as it was, so you can buy into it and target whoever you wanted, but it was definitely uh designed for broad use and not specifically just to Brazil.

SPEAKER_01 14:04

Any other payloads for different regions, different countries?

SPEAKER_02 14:08

It's is the real distinction usually is between stuff that targets Brazil and stuff that targets other countries. So other countries get Metamorpho, MISPADU, and still Grande Ros is out there, but not from T 2725. And then it's pretty much 100% Astaroth targeting Brazil with that. And that's just just the banking malware of choice for that for for that particular region.

SPEAKER_01 14:35

Interesting. They're like, uh, we've hit Brazil enough this week. Let's switch and and target another region with a new payload. Like it's it's it's their like frame of thought and like their their pathways to like decision making uh is like incredibly uh interesting to me. I just wish I could live in one of their brains for a week.

SPEAKER_02 14:55

It was really interesting with the law enforcement activity because suddenly there was nothing targeting Brazil.

SPEAKER_01 15:01

So they had a little bit of reprieve.

SPEAKER_02 15:04

Yes, and I think that's mainly because they knew the law and law enforcement was looking for people within Brazil. So they were trying to kind of lay low, but they still have to make a living.

SPEAKER_01 15:13

Yeah.

Law Enforcement Disruption

SPEAKER_02 15:14

So they were targeting outside of Brazil for a time.

SPEAKER_01 15:17

Let's talk about the law enforcement. We love law enforcement disruptions here at Proof Point. Uh, we were definitely partners with Operation Endgame, not to be confused with the Gran Herrero disruption, but huge, huge supporters of enforcement action, law enforcement action, especially with cyber criminal infrastructure, huge, big, big party over here when that happened, big celebration. So, Jarrett, talk a little bit about what happened with Gran Herrero and kind of like the timeline uh leading up to the disruption and what was observed kind of after the disruption, and have we seen Gran Herrero since?

Why Threats Come Back

SPEAKER_02 15:52

Yeah, so Brazilian federal police worked with Interpol and Europol to disrupt it by making arrests. And that's that's kind of a big deal there is when law enforcement action doesn't just seize infrastructure, which they did in that case as well, but can actually make arrests. So I believe they arrested like five people that they considered developers and operators of that malware as a service. But before that, I mean, these were huge volumes, like could be hundreds of thousands of email a day, and you know, picking up for a long time. So every day, all day long, uh, as a as probably the highest volume of malware at that time that we had was was Grande Herrero. And then uh the law enforcement action happened, and there was about a day where we didn't see it at all, and there was a big spike in in other malware. Uh, but then it kind of started slowly coming back. So there was a a panic moment, and then it came back at a much lower volume, and then it pretty much dropped to zero, at least with TA2725, but it never really went away. Uh, we still see it at a very low level, maybe you know, five to ten email a day right now with it using a tax. I'm seeing it target different countries that aren't Brazil as well. So a much smaller operation, but it's it's still out there. So that like a lot of other, we don't I don't like to call them takedowns. I like to call them disruptions because a lot of times they do come back in one shape or another.

RMM Tools Trend

SPEAKER_01 17:27

Yeah, that's the unfortunate part of it. Threat actors, just because you take something away from them, they're not gonna stop, right? They they're gonna look elsewhere or retry, right? It's like it's like a child. You're not the child's not gonna stop crying for the candy you took away. They just want it more. Find something else to get. Okay. And I know with T2725, we also observed them, or you also observed them using remote monitoring and managing software, which is something we have talked about so much on this podcast, reported a ton on the Proof Point Threat Insight blog. Which RMM did they use? And was this was this something that they did kind of after the Grande Rero um disruption? What what what did that look like? What did the activity look like?

SPEAKER_02 18:12

It was it was quite a while after that disruption. They, at least for that type of stuff, it seems like it took them a while longer than other threat actor clusters to adopt that RMM as as a malware type of thing. Uh they primarily used Screen Connect as as most of the others did. Um, but after Screen Connect made their changes to make it more difficult for threat actors, they switched to a couple other ones very briefly, and then it the activity pretty much dropped out. So either they were only really familiar with Screen Connect, um, because again, that's legitimate software. Yeah. Um, or it was just easier for them to use the stuff that they had used before. So they were kind of trying out the new the new cool kids toy there, didn't really like it after a while, probably just weren't making as much money with it, and then went back to kind of the their old games there. But they were, it was long after the Gran Herrero destruction and a little bit after when everybody started using RMMs with the kind of follow-the leader that we see with a lot of other threat actors.

SPEAKER_01 19:14

It's so interesting they didn't stick with it because of like the absolute explosion of RMMs across multiple different threat clusters that we've observed in the last what it's going on two years, I think. And TH725 like tested it out a little bit, but didn't stick with it. So I don't know what that says really specifically about them, but it's interesting because it it would seem that other threat clusters are sticking with RMM use. One thing I want to go back to uh is kind of their change in objectives when targeting specific regions. So we talked uh quite a bit about malware for Brazil, but I noticed that credfishing is something that they typically use for like Argentina targeting. So what what kind of what is the theory behind that? Is there, do you think that there's like a decision that they've made? Like, okay, Argentina only gets credfished because we don't have a malware that works for Argentina? Or what do you think? What's your assessment?

SPEAKER_02 20:11

Well, the the fact that most of the malware works at pretty much any Latin American country leads me to believe that it's probably someone who bought into the service that is from Argentina and knows, you know, knows their banking, that knows what they're doing, knows what they the what how they operate there and things like that. So that's that's really what I think with some of those is that's just people from that that region that get into the action, as it were, with TA2725. But again, that's that's just a theory. Yeah. Don't have, you know, don't have evidence, but insider knowledge of it or anything like that.

SPEAKER_01 20:44

Are you sure? It's been a while. You've been tracking that. I'm just kidding. That is interesting. I, you know, I this actor is just so so incredibly interesting to me. And and we talk about the targeting of these regions specifically, but if you are a proof point customer and you're not located in these regions, you'll still see T82725 attributed campaigns in high volumes in your dashboards. And why is that, Jared?

SPEAKER_02 21:11

It really is because of their broad range of targeting. A lot of the stuff that we see in, say, US-based companies is because they have interests in Latin America. So a mining company has operations there, manufacturing. There's a lot of manufacturing in that region. International banks that operate, you know, globally will be there. And so the targeting doesn't necessarily know that the person is in the United States per se or another country. Um, they're just on some list that they, you know, bought from somebody or or developed themselves. Um, so that's that's really why I think we see that paint spatter, as it were, of uh targeting there. Yeah. But there are times that they definitely do target outside of the region. Then again, mainly Spain and Portugal. Very Rarely, uh, other countries with TH2725. There are other clusters, for sure, from Latin America that do target other European countries with some of the global malware.

SPEAKER_01 22:10

Yeah. That brings me to my next question because Brazil, Mexico, Colombia, and Argentina have very different digital banking ecosystems, right? And regulatory environments. Is that something that's reflected in the email threat campaigns you tracked? Does T2725 even care about that? I mean, what is how does that translate?

The Human Side of Threat Actors

Motivation: Money First

SPEAKER_02 22:30

So as I understand it, most of the banking operations in Brazil, the individuals that use the banks have, say, like a certificate that allows them to connect without having to use a password or an addition to a password. So someone that has their credentials but doesn't have their computer with their certificate on it can't use their credentials. So that's the banking malware pretty much has operations where it's it directly steals it from that computer and likely uses that connection because they have that certificate to operate that way. But that's just the whole say crime ecosystem in Brazil is is very interesting because a lot of times, as we understand it, there's crossover between physical crime and cybercrime. Yes. Um and again, there's it's more say rumors that it happens, but it it it makes sense. Um that like like when there was a law enforcement disruption of some of the physical groups, uh, momentarily the uh cyber activity that we saw dropped. But you know, correlation is not causation. So there's there's lots of other things. But most of the time the malware is let's say hands-on and active in uh other malware, it's kind of passive, where the malware just operates on its own and sends the stuff back. But a lot of the malware out of Brazil and other the Latin American malware is is live where there's an actual operator that is watching the the victim's screen. Uh, they actually have to hit a button so that the overlay for the particular bank pops up in some cases. So it's it's quite a different type of malware operation than than we see elsewhere.

SPEAKER_01 24:12

I just want to take a step back to the crossover, the theories of the crossovers with with the digital to the physical space, especially in Latin America. Has there been in your research, not necessarily just researching campaigns, but your incredible depth of knowledge of uh about things happening in this region? Has there been any like evidence or reporting to kind of suggest potential other objectives beyond the financial motivated people? Like is the are the is the funding that they're getting from these cyber criminal campaigns leading to something further, or is it just purely for money to get those luxury cars and fancy penthouse apartments?

SPEAKER_02 24:56

It it really seems like it's just for the money. Yeah. Because that's what I thought. I think the the fact that they take long vacations sometimes with low activity or you know, just took off for Carnival leads me to believe that just like any other person that's making a living, that's what they're doing, and they're using that for for their daily lives. And then if they if they're good at it, then I'm assuming that they're you know taking other, say long vacations or traveling or things like that.

SPEAKER_01 25:23

Yeah, all about the money. Yeah. Okay. So getting back to the kind of the different banking infrastructure and and regulations in different cunt countries, um, lures like the Nota Fiscal Electronico, which I completely bumbled that, are deeply embedded in Brazilian business culture, which makes them incredibly effective as fishing pretexts, right? As lures. Uh, what other region-specific cultural or regulatory touch points have you seen these threat actors weaponize in these email campaigns? I know you mentioned, I mean, Netflix and Amazon is not specific to region, but kind of effective for anywhere that they may hit. But what else what else have you seen that's kind of interesting on the social engineering piece?

SPEAKER_02 26:04

They, I mean, they really understand the culture where they are, which again leads to believe that they are in that that region. Lately, like this week, they've been using DTRAN lures, which is the like Brazil transportation department. So driver's licensing and automobile licensing. So there's lures like your license is expired, or your uh here's your car registration, or things like that. We've seen them leverage the privatized mail delivery service in Brazil, Correos. I'm probably butchering that, and I apologize to all the native Portuguese speakers, but that's that's privatized mail delivery service, and they like to use that for lures for you know, owing customs duties or owing shipping or things like that. And we've seen that leveraged for fishing malware and fraud type operations. So uh they definitely kind of spread it out there. Uh, what we don't see in Latin America typically is multi-factor authentication. So most weird. Most cases you don't have that. That's partially because they use that, at least in Brazil, they use the certificate-based logins. Um, but a lot of it is that they're kind of behind in some of that technology. Uh, it hasn't hasn't say caught on in in the region. So really it changes the the aspect of what they can fish. So in, you know, in a lot of other countries in, you know, North America or Europe, MFA is is standard. So that's why you see those uh attacker in the middle proxy type fishing kits or fishing as a service, and you see kind of the old-fashioned fishing in in Latin America, because they don't have to, but uh, if that caught on, I would believe that they would adapt to that as well.

New LATAM Threat Activity

SPEAKER_01 27:54

Yeah, that is an interesting note because we do see incredibly high volumes of the AITM fishing. And just as a side note, shout out to the tycoon report we just threw up on our Threat Insight blog. Um, that was really exciting. I think Selena's still recovering from that one. But yes, uh, very interesting, especially when we're as we're talking about TA2725. I just want to pivot a little bit to any other interesting threat clusters you're observing in the region and Latim or targeting Latim or anything like that. You had kind of alluded to that in the beginning, but what what kind of new that maybe aren't associated to TA2725? What kind of newness are you seeing there?

SPEAKER_02 28:34

It's it's typically the same type of malware. Um there is a small cluster using uh Gran Dorero again, but we've also seen other, say, non-TA2725 threat actors using Ms. Padu and Metamorpho, uh, and some of those other commodity type of malware down there. There are some of those that you know are used as a service as well, but a lot of those are more individual. We've seen a group that is heavily compromised Brazilian government email uh recently, uh, which is uh definitely a big challenge. But it's anything that we find like that, we try to pass on to the uh Brazil federal law enforcement when we can uh as part of our our partnership. So really trying to to help them with that. We haven't had a our our operation endgame type of thing there, but we definitely have have some sharing in place.

SPEAKER_01 29:28

That's good. I just because I know our audience is gonna is probably thinking this, but how do you know that the difference between the threat clusters using the same malware as T TA2725? How do you know it's not TA2725 without giving away too much of our secret sauce for attribution?

SPEAKER_02 29:45

A lot of it comes down to infrastructure and and lures. So um T2725 has a very say rigid type of infrastructure on the front end uh and then the services on the back end, which are much more difficult to track, but we have some ways to do that as well. So just seeing that big difference in in the back end infrastructure, the the sending type addresses, a lot of times T2725 will use email addresses that look like they belong with the Lure so that they match it, uh, whereas other clusters may not do that quite as much. So a lot of it is subtle, um, but that's part of the part of the game of understanding um the different clusters. And we definitely try to be very conservative with our attribution uh because I'd I'd rather be right and slower than be wrong and really fast with with attribution. But at least for K2725, we've been tracking them for gosh, it's almost five years now. It wasn't long after I started here that I started tracking them. Um and still pretty consistent with their activity, but we do see call them glitches, but it experiments once in a while, different infrastructure use.

SPEAKER_01 31:01

Okay, Jared. So from an email telemetry perspective, are there any signals that you're seeing that suggest potential cross-regional threat actor cooperation? I mean, you mentioned the cluster that's using compromise government email addresses. And I know that's not necessarily a tactic that's proprietary to espionage or APT actors, but it's not like my mind immediately goes there because we do see that. Like our espionage team sees sees that a lot. So I'm just curious, do you see any any signals that maybe suggest cooperation amongst Latim actors with potentially Eastern European or even East Asian actors?

SPEAKER_02 31:41

There hasn't been a lot of that. There was there has been some suspicion or open source reporting in the past that there was some cooperation between some of the Russian threat actors, um, but haven't really seen that or any any evidence of it. Uh we have seen seen the threat actors, even 27 TIA 2725 using infrastructure out of Russia, but speaking to some of the law enforcement contacts, it's pretty much because they know that it's really tough to take things down there. So it's it's just operationalizing, you know, bulletproof hosting in that case.

SPEAKER_01 32:16

So it's really just the those infrastructure data points that's kind of suggesting potential overlap. There's nothing really, is there anything else that's interesting?

SPEAKER_02 32:26

It really doesn't seem like it. I I had suspected it in the past.

SPEAKER_01 32:29

Um, but I get so excited, I'm like, ooh, juicy.

Delphi as a Clue

SPEAKER_02 32:33

Uh there's definitely cooperation between different countries in the region, but it's it doesn't appear that there's a lot outside the region. You know, part of that comes from the malware itself, because a lot of times um the the malware or parts of the malware are written in Delphi, which is kind of a old-fashioned language and not used very much outside of the region. Um, but it was heavily taught in schools in the early 2000s in Brazil and and other countries there. It's easy to use, it's natively Windows compatible. So uh if you see malware written in Delphi, it probably has its origin in the Latin American region. And even using new techniques like DLL sideloading, the the part of the malware that they're sideloading is written in Delphi, even though it's a you know legitimate program that they're injecting into.

SPEAKER_01 33:23

It's really interesting and good thing to know about Delphi uh too. I didn't know that. Jared, is there anything else that I didn't touch on today or that we didn't talk about today with regards to these actors or LATAM? I know this is like a a region that's kind of known for being not a hotbed, but a very, you know, interesting region for cybercrime, right? So do we cover everything? It's hard to tell.

Global Impact of TA2725

SPEAKER_02 33:48

Yeah. But there's so much. I'm not sure. And the thing about the T2725 and and uh some of those other clusters, well, especially TA2725, is that um I believe at least at one point they may still be the highest volume of named threat actor malware that we have. So I mean, other other malware is definitely higher volume. Other attacks like uh clickfix and that are are much higher volume, but those aren't attributed. But uh malware attributed to TA2725 continues to be uh one of the top malware globally that we see with with all of our customer base. Um and even if if the company itself or the the customer itself isn't directly targeted, uh they probably have some type of interest in the Latin American region. So they are are still a target because of the global economy. So if if you know one of their subsidiaries in Latin America gets compromised, then they can pivot off of that to you know the main part of the company. So it's not compartmentalized to organizations that operate exclusively in Latin America. It's definitely a global threat.

SPEAKER_01 34:56

Yeah. And as we see from their you know revolving objectives, I mean, this group is super financially motivated, so inopportunistic, right? So they're gonna take whatever opportunities they can, even if it means potentially compromising something outside of the region that they're focused on. So super interesting group. And I did, I wanted to ask too, is there any indication of how long they've been on the threat landscape? I know you've been tracking them for about five years, but have they been, is it possible they've been around longer than that? Or do you not have any?

SPEAKER_02 35:28

Oh, absolutely, because the I know the activity was happening at least a few years before I came to Proof Point, but the volumes really ramped up again about five years ago. So that's really kind of where it they stuck their their hand up and said, I'm here. Yeah. And and really kind of jumped onto the stage of the global threat landscape at that time.

The Human Side of Threat Actors

SPEAKER_01 35:53

Interesting. And I wonder, I always I try to think like, are there any, have there been any like cyber incidents in the headlines that we could possibly trace back to this group ever? I think that would be like a historical research project that would be fun, but you know, you just never know. Threat actors are friends, just like different threat research orgs are friends with other threat researchers, you know. So it's interesting. It's fun. It's easy to forget that they're humans, that threat actors are humans, but good reminders when they take time off like carnival, that they are actually humans that go on vacation.

SPEAKER_02 36:32

So they're they're only human, they make mistakes sometimes. They have good days and bad days. Uh sometimes their scripts don't work. So uh in the actual email body where they're trying to social engineer by putting the the target's name in the field, you'll just see random or something else there that looks like computer code where it didn't work. Uh, there's times where their links are broken. Uh, there's times where something has already been been taken down, you know, Google Safe Links found it or something else like that. So they're they're human, they have good days and bad days, but uh they are professionals and crime is their business.

SPEAKER_01 37:08

Very active. Well, thank you, Jared, for being on today and catching us up with TA2725 and LATAM-focused threats. It's a really, really interesting region. I don't envy uh your need to be on your toes all the time with this group, but these are they are really interesting, uh, very exciting. So don't forget to join us for Intercepted from Headers to Headlines, our newest threat research production. We had our third session yesterday, and you can get all sessions on demand. But join us live on April 22nd at 10 a.m. Eastern. We'll be talking more about regionally targeted threats all over the world. We'll probably talk about Latin America, but definitely incorporating uh some discussion around threats with threats to APAC and EMIA as well. Again, thank you, thank you, thank you, Jared, for joining today and to all of our listeners. Until next time, happy hunting.

SPEAKER_00 38:02

You've been listening to Discarded Tales from the Threat Research Trenches, a podcast by ProofPoint. Never miss an episode by subscribing to the show in your favorite podcast player. Happy hunting.