Elections increasingly attract cyber operations that target politicians, businesses and the public. These activities range from espionage campaigns against political parties to influence operations seeking to shape opinions, sow discontent or undermine democratic processes.
This newsletter, published twice a month, provides an overview of key cyber incidents and emerging threats related to the upcoming October 2026 general elections in Brazil. It offers recommendations on how organizations and individuals can mitigate and protect against these threats.
Key incidents
In this issue we focus on:
Previously undocumented data-wiping malware used in late 2025 attacks against Venezuelan energy organizations
The malware program – dubbed Lotus by researchers at Russia-based cyber security organization Kaspersky – is designed to destroy its targets by wiping physical drives and removing the possibility of recovery, according to Bleeping Computer.
PhaaS campaign targeting C-suite executives in multiple sectors underlines persistent threat
A credential harvesting campaign is leveraging a new phishing-as-a-service (PhaaS) platform called Venom to target C-suite executives and senior employees at organizations across more than 20 sectors, according to cloud cyber security company Abnormal.
USD 20.88 bn
Estimated amount of cybercrime losses in the US in 2025
(Source: US FBI Internet Crime Complaint Center, IC3)
Reported losses climbed some 26% from 2024 to 2025, according to the report, with phishing and spoofing attacks the most common complaint categories to the IC3 in 2025.
Mitigation advice twice a month
- Strengthen backup resilience and recovery testing. Ensure business continuity against destructive cyber events by prioritizing the ability to rapidly restore core operations after severe system compromise, including governance oversight of resilience planning and regular validation that critical data and services can be recovered under worst‑case scenarios.
- Enforce least‑privilege access and network segmentation across endpoints, servers and critical systems to limit blast radius and enable rapid containment in the event of destructive or espionage‑motivated intrusions.
- Enhance executive‑level phishing defenses by combining targeted security awareness training for C‑suite and senior leaders with advanced email security controls.
- Prohibit or tightly control QR‑code interactions from emails, especially those purporting to be document‑sharing or verification requests.
- Harden identity and authentication workflows by restricting device code flows, monitoring for adversary‑in‑the‑middle (AiTM) techniques and enforcing strong conditional access policies for senior staff.
- Adopt a heightened cyber risk posture during politically sensitive periods by aligning executive leadership, security teams and crisis management functions to anticipate elevated threat activity, accelerate decision‑making and respond decisively to incidents that could disrupt operations, reputation or stakeholder trust.
Lotus data-wiping malware utilized against Venezuelan energy and utility organizations
According to the April 21 article in Bleeping Computer, Kaspersky researchers were able to upload and analyze a sample of the malware and noted that Lotus “removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files…,ultimately leaving the system in an unrecoverable state.” The article further explains that the data-wiping attacks appear to roughly coincide with apparent cyber attacks against the state-owned Venezuelan oil company Petroleos de Venezuela (PDVSA) in mid-December 2025 and with rising geopolitical tensions around Venezuela more broadly, culminating in the January 3 capture and arrest of then-president Nicolás Maduro (2013-26).
Potential mitigation: We note that early detection and a resilient backup strategy are the most effective methods of countering such data-wiping attacks, and recommend enforcement of least privilege, network segmentation, and endpoint and server hardening as best practices to allow for rapid containment and recovery.
PhaaS campaign targets executives and senior employees in multiple industries
The campaign specifically targeted C-suite executives and senior employees with spear phishing emails containing SharePoint document-sharing notifications designed to appear as if they were from the recipient’s organization, according to the report from Abnormal. The notifications directed targets to scan a QR code with their mobile device, which then directed them to a fake verification page designed to distinguish the visitor from an automated scanner or security tool.
Following verification, targets were directed to one of two possible credential harvesting pages hosted on attacker-controlled domains. The first leveraged AiTM techniques to impersonate a legitimate sign-in page for the identity provider used by the victim’s organization. The second impersonated a Docusign notification to prompt the victim to complete Microsoft’s device code flow and approve a threat actor‑controlled device sign‑in.
Potential impact: This campaign underscores threat actors' continued high intent to target C-suite executives with phishing-based attacks to gain initial access to target environments, particularly due to the enhanced administrative privileges and internal authority of senior employees. Threat actors will almost certainly continue to prioritize C-suite executives as targets in the coming months and years, including those in Brazil.
Focus on: Targeting of C-suite executives and senior employees
Given their leadership roles, senior employees are more likely to possess significant administrative privileges, as well as the authority to approve financial transactions, document transfers and other important business decisions. They are therefore attractive targets for threat actors seeking to leverage initial access to an enterprise environment for financial gain or espionage-focused activities.
Additionally, C-suite executives and senior employees are also likely to receive a large number of emails from disparate sources, potentially reducing their ability to distinguish between real and fake emails. Threat actors from across the cyber threat landscape will almost certainly continue to heavily target senior employees with phishing attacks designed to enable initial access into enterprise environments.
Mitigation: We urge organizations to educate all employees on the risks of interacting with unknown or unexpected material by implementing regular phishing tests and extensive email security tools. Relevant to the case cited above, we advise that the training should also include instructions for all employees, including C-suite executives, to avoid directly engaging with or scanning QR codes delivered via emails.
Electoral protection in Brazil: cybersecurity training and support
Register to receive these twice-monthly reports