Top 10 Cyber Threat Actors Targeting Brazil
Brazil enters the second half of 2026 as Latin America’s undisputed top cybercrime target. With a general election approaching in October 2026 and a booming digital economy built on platforms like Pix, the country is increasingly vulnerable.
Understanding who is behind these attacks is not a passive exercise. Threat actors leave traces: negotiation chats on Dark Web leak sites, stolen credentials sold in underground marketplaces, ransomware group profiles on hacker forums, and operational chatter across encrypted channels. SOCRadar’s Dark Web Monitoring continuously scans these hidden layers of the internet and surfaces threat actor activity relevant to your organization before it becomes a breach. The top groups covered in this report, from LockBit 5.0 and Qilin to Salt Typhoon and TA2725, illustrate exactly how varied and persistent that threat landscape is.
| Threat Actor | Origin | Type | Sectors Targeted | Key Brazil Incident (2025–2026) |
| LockBit 5.0 | Russia | Ransomware / RaaS | Transport, manufacturing, food | Brazil = #2 target country in Q1 2026 (8.6% of victims) |
| Qilin | Russia-linked | Ransomware / RaaS | Manufacturing, healthcare, retail | ~30% of all LATAM ransomware victims attributed to Qilin |
| Akira | Russia-linked | Ransomware / RaaS | Food production, finance, manufacturing | Brazil named as top-tier concentration market; Moinho Globo Alimentos breached |
| The Gentlemen | Unknown | Ransomware / RaaS | Education, public sector, enterprise | Brazil = 4th most targeted country globally; 19 confirmed victims Q1 2026 |
| Everest Group | Russia-linked | Data extortion | Energy, government, critical infrastructure | Petrobras breach – 176 GB of seismic data stolen (Nov 2025) |
| Salt Typhoon | China (MSS) | Nation-state APT | Telecoms, government, military, finance | Brazil confirmed among 80+ compromised countries; active through Feb 2026 |
| TA2725 | Brazil | Cybercrime syndicate | Banking, financial services | Active Grandoreiro + BTMOB RAT campaigns confirmed May 2026 |
| DragonForce | Malaysia | Ransomware / RaaS | Education, public sector, enterprise | FGV breach – 1.52 TB stolen, 88,000+ users exposed (Mar 2026) |
| Cl0p | Russia-linked | Mass exploitation | Finance, healthcare, manufacturing | Oracle EBS zero-day campaign; Brazil entered global top 10 Feb 2026 |
| KillSec | Unknown | Ransomware / RaaS | Healthcare, financial services, government | Brazil = 4th most targeted country; record healthcare wave Sep 2025 |
Brazil’s Cyber Threat Landscape in 2026
Brazil accounts for 53% of all cybersecurity incidents recorded across Latin America – more than every other country in the region combined. There were 132 ransomware victims in 2025 alone, and February 2025 set a national record with over 960 attacks in a single month. SOCRadar’s LATAM Cyber Threat Landscape Report 2026 puts an even finer point on it: Brazil accounts for 46.94% of all ransomware attacks in the region and leads overall targeting activity across every measured category.
The attack surface is broad. Manufacturing, government, healthcare, financial services, and energy are consistently the hardest-hit sectors. Threat actors range from global ransomware cartels deliberately shifting focus away from the U.S., to Chinese state-sponsored groups quietly intercepting telecom traffic, to domestic Brazilian cybercrime syndicates that have operated uninterrupted for a decade.
The groups below may already be discussing your organization on the Dark Web. Check your exposure for free.
1. LockBit 5.0: Brazil Is Now Its Second Most Targeted Country
LockBit is arguably the most resilient ransomware operation in history. After Operation Cronos dismantled the group in February 2024 and unmasked its alleged leader as Russian national Dmitry Yuryevich Khoroshev, LockBit returned eighteen months later as LockBit 5.0. This time, the group explicitly announced its intent to target critical infrastructure, including power plants and hydroelectric facilities.

Threat actor card of LockBit
In Q1 2026, the group posted 163 victims and reclaimed a spot in the global top four. Historically, the US accounted for over 50% of LockBit’s victims. In Q1 2026, that share collapsed to 21.2%, with Italy (8.6%), Brazil (8.6%), and Turkey (5.1%) absorbing the shift. In an effort to avoid the gaze of international law enforcement, attackers are shifting their focus away from North America. This strategic pivot has resulted in Brazil bearing the brunt of an extensive and unequal increase in global cyber threat activity.
Confirmed 2026 Brazilian victims include Technicare Instrumental Cirurgico, a surgical instruments manufacturer, and Brassuco Alimentos, a food and beverage producer active since 1985.
2. Qilin: The World’s Most Active Ransomware Group for Three Consecutive Quarters
Also known as “Agenda,” Qilin has held the top position globally for three consecutive quarters, posting 338 victims in Q1 2026 alone. The group runs a full RaaS (Ransomware-as-a-Service) platform with a Rust-based encryptor engineered to complicate forensic analysis, and has absorbed waves of displaced affiliates from both LockBit and RansomHub following their respective collapses.

Threat actor card of Qilin (Agenda)
Brazil accounts for roughly one third of all LATAM ransomware victims attributed to Qilin, the highest country share in the region. Manufacturing, retail, healthcare, and professional services firms are among confirmed targets in 2026. The group is also a founding member of the ransomware cartel alliance formed with LockBit and DragonForce in September 2025, further concentrating operational resources against high-value markets like Brazil.
3. Akira: Brazil Is a Confirmed Concentration Market, with $244M in Proceeds Fueling Continued Expansion
Akira emerged in March 2023 with suspected ties to the former Conti operation. The group runs a double-extortion RaaS model, exploits VPN vulnerabilities in Cisco and SonicWall products for initial access, and can encrypt an enterprise network in under an hour.

Threat actor card of Akira
Researchers name Brazil among Akira’s top victim geographies alongside the US, Canada, and Australia. The group posted 84 victims in March 2026 alone. Documented 2026 Brazilian victims include Moinho Globo Alimentos, one of the largest milling companies in its state, with the campaign continuing actively through Q1 2026. In Q1 2025, Brazil led South America with 22 ransomware incidents, primarily in food and beverage manufacturing, and Akira was identified as one of the key drivers of that concentration.
4. The Gentlemen: Brazil Is Their 4th Most Targeted Country Globally Due to Pre-Positioned FortiGate Access
The Gentlemen is the breakout ransomware group of 2026, founded in late 2025 by a former Qilin affiliate. They entered the market with a pre-built stockpile of approximately 14,700 already-compromised FortiGate devices, meaning they attack from inventory rather than spending time establishing fresh footholds. The group reached over 340 victims by April 2026, scaling faster than any other ransomware operation on record.

Threat actor card of The Gentlemen Ransomware
Researchers confirmed that Brazil accounts for 6% of The Gentlemen’s global victims, making it their 4th most targeted country, a direct consequence of the high concentration of vulnerable FortiGate devices on Brazilian enterprise networks. Dark Web leak site monitoring confirms 19 Brazilian organizations as victims as of Q1 2026, including Fundacao Para o Desenvolvimento das Artes e da Comunicacao and the Universidade Federal de Sergipe. In May 2026, a leak of the group’s internal Rocket.Chat infrastructure exposed over 1,570 total victims and affiliate payment details, but operations continue.
5. Everest Group: Executed the Most Strategically Significant Cyberattack on a Brazilian Organization in the Period
Active since 2020, Everest has evolved from a conventional ransomware outfit into a hybrid extortion operation, preferring data theft and public exposure over encryption. The group sells initial access to compromised networks in parallel with its extortion campaigns and has previously claimed victims including NASA and critical infrastructure operators across Europe. As of May 2026, Everest remains actively posting new victims.

Threat actor card of Everest Ransomware
In November 2025, Everest executed the most strategically sensitive cyberattack on a Brazilian entity in the current period: the breach of Petrobras, Brazil’s state-owned oil giant. The group published two separate Dark Web listings on November 14, 2025, claiming over 176 gigabytes of seismic navigation data stolen from the Campos Basin, including ship positioning logs, hydrophone readings, equipment configurations, and field survey reports from joint operations with SAExploration. Everest gave Petrobras four days to make contact. The exfiltrated data covers the core of Brazil’s offshore energy intelligence.
6. Salt Typhoon: Confirmed Active in Brazil as Part of the Most Geographically Distributed APT Campaign Ever Disclosed
Salt Typhoon is a Chinese state-sponsored APT (Advanced Persistent Threat) group linked to the Ministry of State Security, active since at least 2019. The group specializes in long-duration, low-visibility intrusions into telecommunications infrastructure using custom backdoors, SparrowDoor and Demodex, designed for persistent intelligence collection rather than rapid-impact attacks. The US sanctioned a Chinese company tied to the group in January 2025.

Threat actor card of Salt Typhoon
The FBI confirmed in February 2026 that Salt Typhoon’s threats remain “still very much ongoing,” with the group having compromised more than 200 organizations across 80 countries. Brazil is explicitly named among its confirmed targets, spanning telecoms, government entities, financial institutions, and military organizations. With Brazil’s October 2026 general elections approaching and its 5G infrastructure rapidly expanding, Salt Typhoon’s sustained interest in communications interception represents a long-term espionage risk that extends well beyond any single incident.
7. TA2725 (Grandoreiro Gang): A Decade-Long Brazil-Origin Operation, Actively Running New Campaigns in May 2026
TA2725 is a Brazil-based organized cybercrime syndicate that has operated the Grandoreiro banking trojan since 2016, making it one of the longest-running financial fraud operations in Latin American history. The group survived two coordinated INTERPOL-assisted law enforcement actions in 2021 and 2024, with remaining members continuing operations and actively developing new capabilities. Their tooling has expanded to target financial institutions across 45 countries.

SOCRadar’s Threat Actor Intelligence, Grandoreiro Malware Details
In late May 2026, researchers at WatchGuard and ESET confirmed active TA2725 campaigns targeting financial institutions and corporations across Latin America, with Brazil as a primary target, using DLL side-loading and obfuscated VBScript delivery chains that hide malicious traffic inside legitimate cloud services. The May 2026 campaign runs in parallel with BTMOB RAT v4.5.5, an Android trojan from the same criminal ecosystem whose developer released an update on May 1, 2026, that ESET confirms is “mainly observed in attacks in Brazil.”
8. DragonForce: Breached Brazil’s Most Prestigious University, Stealing 1.52 TB Including 88,000+ User Records
DragonForce began as a Malaysian hacktivist collective before pivoting to a full RaaS operation notable for its “white-label” model, letting affiliates operate under their own branding while using DragonForce infrastructure. The group absorbed displaced RansomHub affiliates after that group shut down in April 2025, and posted 101 victims in Q1 2026. Researchers explicitly named Brazil as one of the group’s deliberate non-US target markets alongside Italy and Turkey.

Threat actor card of DragonForce
In March 2026, DragonForce breached the Fundacao Getulio Vargas (FGV), Brazil’s most prestigious university and public policy institution, exfiltrating approximately 1.52 TB of data including names, identification details, and banking information belonging to over 88,000 users. FGV confirmed the incident publicly and acknowledged data had appeared on the Dark Web. It stands as the largest single data theft event targeting a Brazilian educational institution on record.
9. Cl0p: Top 5 Globally, With Mass Exploitation Campaigns Sweeping Through Brazilian Organizations
Cl0p is one of the most financially consequential cybercrime operations in history, responsible for billions of dollars in damages across seven years of mass zero-day exploitation campaigns. The group’s signature tactic is exploiting a single widely-deployed enterprise platform and simultaneously breaching hundreds of organizations before a patch exists. Previous waves targeted GoAnywhere MFT, MOVEit Transfer, and Cleo, each hitting thousands of organizations globally including Brazilian entities.

Threat actor card of Cl0p
Cl0p was the third most active ransomware group in Q1 2026, logging 68 victims in January and 49 in February. Their latest mass campaign exploited a zero-day in Oracle’s E-Business Suite (CVE-2025-61882), sweeping through organizations across 72 countries. Brazil entered the global top 10 for ransomware victims for the first time in February 2026, with Cl0p’s volume contributing directly to that surge. Brazilian organizations running Oracle EBS or Cleo managed file transfer platforms are confirmed exposure targets in this campaign wave.
10. KillSec: Brazil Is Their 4th Most Targeted Country
KillSec originated as a hacktivist group before pivoting to ransomware in October 2023 and officially launching a RaaS platform in June 2024. The group targets healthcare, financial services, government, and technology sectors with a particularly aggressive 88% revenue split for affiliates, attracting a steady stream of operators. With 279 documented victims across 49 countries, KillSec has established itself as a consistent mid-tier threat with an outsized focus on Brazil relative to its overall size.

Threat actor card of KillSec
Brazil is KillSec’s 4th most targeted country globally, with 10 confirmed Brazilian victims, ranking behind only the US (86), India (48), and UK (11). In September 2025, KillSec launched a record wave of attacks specifically against Brazilian healthcare institutions, forcing a coordinated response from Resecurity, CERT.br, and ANPD (Brazil’s national data protection authority). The group remains active in 2026, with its most recent victim posted on May 14, 2026.
SOCRadar Dark Web Monitoring: See These Threat Actors Before They See You
The groups above don’t go quiet between attacks. They advertise stolen credentials, discuss targets, and post victim data on Dark Web platforms, often weeks before the affected organization knows anything is wrong.

SOCRadar Dark Web Monitoring module
SOCRadar’s Dark Web Monitoring tracks all of it in real time:
- Ransomware leak site alerts when your organization or supply chain partners are listed
- Stolen credential detection from Dark Web marketplaces and stealer log collections
- Threat actor and ransomware group tracking, including new group formations and affiliate movements
- Executive and VIP exposure monitoring for identity and personal data risks
- A Dark Web search engine for proactive hunting across forums, paste sites, and Telegram channels
- AI-powered alert summaries with severity scoring and relevance analysis
- Brazil- and sector-specific intelligence feeds tailored to your operations
