Quick Summary
Executive Summary
Gov.br, Brazil’s federal government services umbrella domain, has been listed as a victim by the APT73 threat group on their dark web portal. The listing, published on June 23, 2026, highlights APT73’s recent focus on the public sector. This incident is significant due to the sensitive nature of citizen and administrative data handled by government platforms. APT73 has claimed numerous victims recently, with a notable preference for the Public Sector, Business Services, and Technology industries, primarily in the United States, the United Kingdom, and Germany. Previous targets of APT73, such as tkgm.gov.tr and siapenet.gov.br, share similarities with Gov.br, reinforcing the group’s targeting of government and public-sector organizations.
Technical Analysis
SOCRadar’s Dark Web Monitoring identified a severe exposure related to the gov.br domain through stealer-log telemetry. The compromised data included credentials for critical infrastructure such as a federal single sign-on portal, an ADFS identity-management endpoint, a Google Workspace login, and a network proxy. Additionally, a large volume of @gov.br credentials from various third-party services were harvested. The exposed credentials, dating from late 2024 to mid-2026, indicate persistent exposure across multiple agencies and services sharing the gov.br namespace. The use of infostealer-harvested credentials is a known initial access vector for threat groups like APT73. By obtaining and validating corporate credentials from underground marketplaces, attackers can gain access to SSO, VPN, and remote-access portals. While this specific log does not confirm APT73’s direct usage, the pattern of reused credentials and prolonged exposure is consistent with their observed kill chain. Affected agencies are advised to prioritize forced resets, implement phishing-resistant MFA, revoke sessions on SSO and ADFS accounts, and hunt for stealer indicators on associated endpoints.