We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Portuguese Bank Users Targeted in "Operation Magalenha"

Portuguese Bank Users Targeted in
Author Image Husain Parvez
Husain Parvez Published on 28th May 2023 Cybersecurity Researcher

Researchers at SentinelLabs published a report on the morning of May 25th that identified a sizable malicious campaign targeting users of Portuguese financial institutions. The campaign has been dubbed “Operation Magalenha”. Attackers are able to steal credentials and exfiltrate personal information from customers of over 30 Portuguese financial institutions, which then could be used for identity fraud, phishing, and other malicious activities.

After a thorough analysis, the researchers confidently concluded that the perpetrators behind “Operation Magalenha'' are of Brazilian origin. This assessment was based on several factors, including the use of Brazilian-Portuguese in code and the similarities between the threat actor’s payload and the Brazilian Maxtrilha malware family.

The list of targeted entities comprises a range of institutions, including ActivoBank, Caixa Geral de Depósitos, CaixaBank, Citibanamex, Santander, Millennium BCP, ING, Banco BPI, and Novobanco. The attackers' seem to have a thorough understanding of the Portuguese financial landscape despite being likely based outside the country, along with a willingness to invest considerable time and resources into devising precise and tailored campaigns.

Sentinel Labs' report believes that the malware is being delivered through phishing emails that appear to come from Energias de Portugal (EDP) and the Portuguese Tax and Customs Authority (AT – Autoridade Tributária e Aduaneira). After the user likely clicks a link in the email, they are taken to a fake login page of the respective site, while a malware loader is downloaded and executed in the background.

The fake login page serves two purposes. To distract the user from the background download of the malware loader, and to serve as an additional opportunity to steal their credentials for these services.

If left to download and execute, the malware loader installs two variants of a spyware dubbed “PeepingTitle” onto the user’s system. One variant reads all open windows on the user’s device, monitoring specifically for open windows on the websites of targeted institutions. If this is detected, the malware will register the infected machine with the hacker’s server, take screenshots of that window, and set up the staging of further malware.

The second PeepTitle variant registers with a separate server run by the hackers, and takes a screenshot every time the user changes the top-level window on their device. With these two spyware variants working together, the threat actors can get a detailed insight into user activity and steal their credentials.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.