{"id":333,"date":"2026-03-08T03:55:40","date_gmt":"2026-03-08T03:55:40","guid":{"rendered":"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/08\/mapping-the-digital-network-of-tropa-do-arranca-inside-a-brazilian-phishing-kit\/"},"modified":"2026-03-08T03:55:40","modified_gmt":"2026-03-08T03:55:40","slug":"mapping-the-digital-network-of-tropa-do-arranca-inside-a-brazilian-phishing-kit","status":"publish","type":"post","link":"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/08\/mapping-the-digital-network-of-tropa-do-arranca-inside-a-brazilian-phishing-kit\/","title":{"rendered":"Mapping the Digital Network of \u201cTropa do Arranca\u201d: Inside a Brazilian Phishing Kit"},"content":{"rendered":"<figure><img data-opt-id=538038873  fetchpriority=\"high\" decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/932\/1*SvvrqOZk9Sl_buvuL26jfw.png\" \/><\/figure>\n<p>As cybercrime in Brazil continues to grow in sophistication, a group known as \u201cTropa do Arraca\u201d has emerged as a notable threat actor. The group is reportedly involved in stealing mobile devices and then using phishing kits to extract additional digital assets from victims. In this article, we leverage OSINT (Open Source Intelligence) investigation and analysis through the threat hunting platform Criminal IP to examine the group\u2019s infrastructure and malicious operational management, uncovering their complex tactics. We also focus on analyzing specific phishing kits, particularly those targeting iCloud credentials, to understand the group\u2019s level of sophistication better.<\/p>\n<h3>Where the Inquiry Begins: Suspicious Signatures and a Phishing Operation<\/h3>\n<p>The analysis and investigation into \u201cTropa do Arraca\u201d began with what appeared to be a seemingly ordinary fragment of HTML code. However, upon closer inspection, the code was revealed to be a phishing kit meticulously designed to mimic the iCloud login\u00a0page.<\/p>\n<p>Within the analyzed source code, the following hidden fields were identified:<\/p>\n<blockquote><p>&lt;input id=\u201dAppleAccount\u201d type=\u201dhidden\u201d value=\u201dkittropadoarranc_Tropa\u201d\/&gt;<\/p><\/blockquote>\n<figure><img data-opt-id=1084934565  fetchpriority=\"high\" decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/600\/0*M88Vq_V-3leDCYQm\" \/><\/figure>\n<p>The string \u201ckittropadoarranc_Tropa\u201d found within the field was not a simple error or random identifier. It functioned as a digital signature pointing to \u201cTropa do Arraca,\u201d suggesting a group already known within Brazil\u2019s cybercrime ecosystem. From this point onward, the investigation expanded beyond the analysis of a single phishing kit into a broader effort to track an organized threat\u00a0group.<\/p>\n<h3>Inside \u201cTropa do Arranca\u201d: Reflecting Brazil\u2019s Evolving Cybercrime Scene<\/h3>\n<p>The term <em>\u201carranca\u201d<\/em> in Brazilian slang refers to forcefully or swiftly taking something away. In the context of cybercrime, \u201cTropa do Arranca\u201d appears to specialize not only in the physical theft of mobile devices, but also in extracting victims\u2019 digital access, particularly iCloud account credentials.<\/p>\n<p>Their ultimate objectives include:<\/p>\n<ul>\n<li>Unlocking stolen or lost Apple\u00a0devices<\/li>\n<li>Reselling devices on illicit\u00a0markets<\/li>\n<li>Gaining access to banking information and other sensitive data<\/li>\n<\/ul>\n<p>The investigation revealed that the group operates on platforms such as Telegram, managing multiple channels used to coordinate criminal activities and trade illicit services.<\/p>\n<figure><img data-opt-id=1084934565  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/600\/0*M0R0bviGGKkyTO_p\" \/><\/figure>\n<p>Example channels:<\/p>\n<ul>\n<li>@ghostreff (focused on BIN checking and data\u00a0lookup)<\/li>\n<li>@tropa_arranca_ref (sharing scam success cases and references)<\/li>\n<\/ul>\n<h3>Crafting Credibility: Social Engineering and Location-Based Deception in Phishing\u00a0Schemes<\/h3>\n<figure><img data-opt-id=1084934565  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/600\/0*egmHVBQ5JsDJUoiL\" \/><\/figure>\n<p>The phishing kit attributed to this group appears to be carefully designed to exploit victim psychology. While mimicking Apple\u2019s \u201cFind My\u201d interface, it incorporates specific geographic coordinates, including:<\/p>\n<ul>\n<li>-23.5557714<\/li>\n<li>-46.6395571<\/li>\n<\/ul>\n<p>These coordinates correspond to a real-world location near the Jacequai Viaduct and Avenida 23 de Maio in central S\u00e3o Paulo,\u00a0Brazil.<\/p>\n<p>The phishing structure leveraging location data goes beyond simple UI replication. While typical phishing pages are designed primarily around login input fields, this case inserts real geographic coordinates to induce cognitive trust in the\u00a0victim.<\/p>\n<p>Especially, the design targets the psychological instability immediately following device theft and exhibits the following characteristics:<\/p>\n<ul>\n<li>Imitation of a legitimate map API structure<\/li>\n<li>Display of coordinate-based location\u00a0markers<\/li>\n<li>Staged \u201cdevice found\u201d messaging<\/li>\n<li>Prompts demanding immediate action<\/li>\n<\/ul>\n<p>By replicating a legitimate interface and embedding precise geographic coordinates, this strategy reinforces a sense of authenticity. In situations where victims are desperate to recover a stolen device, seeing an exact location displayed on a map increases their belief that the device is genuinely being tracked. This heightened urgency significantly raises the likelihood that victims will enter their iCloud credentials, ultimately handing over account access directly to the attackers.<\/p>\n<p>This is not an exploitation of a technical vulnerability, but rather a location-based social engineering strategy designed to manufacture trust.<\/p>\n<h3>Analyzing Malicious Infrastructure with Criminal\u00a0IP<\/h3>\n<figure><img data-opt-id=1084934565  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/600\/0*8MBgwdBxAHAJ4TB7\" \/><\/figure>\n<blockquote><p>Criminal IP Domain Search: <a href=\"https:\/\/search.criminalip.io\/domain\/report\/49159963\">icoudbuscar[.]net<\/a><\/p><\/blockquote>\n<p>The investigation was further expanded to map the digital infrastructure associated with \u201cTropa do Arranca\u201d using Criminal IP. Through Domain Search, multiple malicious domains and compromised IP addresses were identified, all of which carried high risk scores. One of the domains uncovered during analysis, <em>icloudbuscar[.]net<\/em>, was rated at a \u201cCritical\u201d risk level and assessed as highly likely to be a phishing\u00a0domain.<\/p>\n<p>In addition to the domain identified above, a total of 10 connected domains were confirmed, including the following examples. Most of these domains were recently registered, indicating that the group is rapidly establishing and operating new infrastructure to sustain its activities.<\/p>\n<ul>\n<li>icloudbrasil[.]net<\/li>\n<li>applerastreio[.]net<\/li>\n<li>rastreioapple[.]net<\/li>\n<li>icloudseguro[.]com<\/li>\n<\/ul>\n<h4>Connected IP Address\u00a0Analysis<\/h4>\n<figure><img data-opt-id=1084934565  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/600\/0*p_4NYqzAhPYMTKeM\" \/><\/figure>\n<p>A specific IP address confirmed to be connected to the group\u2019s infrastructure through Criminal IP Domain Search was further analyzed using Criminal IP Asset\u00a0Search.<\/p>\n<figure><img data-opt-id=1084934565  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/600\/0*vcNPM05JCqSEiVQi\" \/><\/figure>\n<p>Criminal IP Asset Search\u00a0Results:<\/p>\n<ul>\n<li>Inbound Risk Score\u200a\u2014\u200aCritical<\/li>\n<li>Outbound Risk Score\u200a\u2014\u200aDangerous<\/li>\n<\/ul>\n<p>The fact that the Inbound risk score is rated Critical and the Outbound risk score Dangerous indicates that the IP is not merely hosting a phishing page, but is actively involved in malicious inbound traffic and outbound communications. This can be interpreted as a quantitative indicator that the IP is highly likely being used as part of an attack infrastructure. The IP address was confirmed to be located in Russia and was associated with multiple domains. The presence of several domains mapped to the same IP suggests that this is not a single phishing site operation, but rather part of a multi-domain campaign infrastructure.<\/p>\n<h3>Risk Mitigation and Actionable Insights<\/h3>\n<p>This case demonstrates a multi-stage attack structure that extends beyond a simple phishing site, combining physical device theft with subsequent digital credential theft. Therefore, proactive measures are required from both users and security\u00a0teams.<\/p>\n<h4>Protective Guidelines for End\u00a0Users<\/h4>\n<ul>\n<li>Do not enter iCloud credentials into links received via SMS, messaging apps, or email after device\u00a0theft.<\/li>\n<li>Access Apple\u2019s official website directly to verify account\u00a0status.<\/li>\n<li>Enable multi-factor authentication and keep recovery email\/phone information up to\u00a0date.<\/li>\n<li>Report stolen devices through official carrier or manufacturer channels.<\/li>\n<\/ul>\n<h4>Strategic Recommendations for Organizations and Security\u00a0Teams<\/h4>\n<ul>\n<li>Continuously monitor newly registered domains containing brand-related keywords such as \u201cApple,\u201d \u201ciCloud,\u201d or \u201crastreio.\u201d<\/li>\n<li>Apply detection policies combining recently registered domains (within 30 days) and high Domain\u00a0Scoring.<\/li>\n<li>Track multi-domain hosting infrastructures based on foreign IP addresses.<\/li>\n<li>Accumulate and analyze phishing kit HTML patterns and obfuscated malicious scripts.<\/li>\n<li>Conduct OSINT monitoring of Telegram-based criminal channels.<\/li>\n<\/ul>\n<p>By implementing these recommendations, organizations can move beyond blocking individual phishing sites and establish a proactive defense system that addresses associated infrastructure. Early identification of newly registered brand-abusing domains and high-risk IP addresses is critical to stopping attacks before victimization occurs. Continuous external asset monitoring combined with threat intelligence\u2013driven analysis is essential.<\/p>\n<h3>Conclusion<\/h3>\n<p>Although \u201cTropa do Arranca\u201d is not officially classified as a global threat group, the phishing kit and infrastructure patterns identified in this case exhibit clear signs of an organized campaign.<\/p>\n<p>Notable characteristics include:<\/p>\n<ul>\n<li>The combination of physical device theft and digital credential theft<\/li>\n<li>Trust-inducing social engineering using real geographic coordinates<\/li>\n<li>Rapid creation of multiple brand-abusing domains<\/li>\n<li>Multi-domain hosting infrastructure based on foreign IP addresses<\/li>\n<li>Fast domain rotation strategies<\/li>\n<\/ul>\n<p>These findings demonstrate that a single-site blocking approach is insufficient. Instead, organizations must adopt an attack surface management\u2013oriented strategy that continuously monitors externally exposed assets. Newly registered domains and high-risk IP addresses should be identified before an attack occurs, not after victimization.<\/p>\n<p>In relation to this, you can refer to <a href=\"https:\/\/www.criminalip.io\/knowledge-hub\/blog\/32203\">RedNovember and APT40 Activity in the Pacific: Observations by Criminal\u00a0IP<\/a><\/p>\n<p>This article is based on an analysis shared by the Twitter-based threat intelligence specialist, <a href=\"https:\/\/x.com\/akaclandestine\">Clandestine<\/a>.<\/p>\n<p><img data-opt-id=574357117  decoding=\"async\" src=\"https:\/\/medium.com\/_\/stat?event=post.clientViewed&amp;referrerSource=full_rss&amp;postId=2f4aa5ca87cd\" width=\"1\" height=\"1\" alt=\"\" \/><\/p>\n<hr \/>\n<p><a href=\"https:\/\/osintteam.blog\/mapping-the-digital-network-of-tropa-do-arranca-inside-a-brazilian-phishing-kit-2f4aa5ca87cd\">Mapping the Digital Network of \u201cTropa do Arranca\u201d: Inside a Brazilian Phishing Kit<\/a> was originally published in <a href=\"https:\/\/osintteam.blog\/\">OSINT Team<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"<p>As cybercrime in Brazil continues to grow in sophistication, a group known as \u201cTropa do Arraca\u201d has emerged as a notable threat actor. The group is reportedly involved in stealing mobile devices and then using phishing kits to extract additional digital assets from victims. In this article, we leverage OSINT (Open Source Intelligence) investigation and &#8230; <a title=\"Mapping the Digital Network of \u201cTropa do Arranca\u201d: Inside a Brazilian Phishing Kit\" class=\"read-more\" href=\"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/08\/mapping-the-digital-network-of-tropa-do-arranca-inside-a-brazilian-phishing-kit\/\" aria-label=\"Read more about Mapping the Digital Network of \u201cTropa do Arranca\u201d: Inside a Brazilian Phishing Kit\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":334,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-333","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/comments?post=333"}],"version-history":[{"count":0,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/333\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media\/334"}],"wp:attachment":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media?parent=333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/categories?post=333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/tags?post=333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}