Multilingual BEC attacks and their perpetrators.
N2K logoFeb 16, 2023

This morning Abnormal Security released their research on multilingual business email compromise attacks and the tactics, techniques, and procedures of some of the threat actors behind this malicious activity.

Multilingual BEC attacks and their perpetrators.

Abnormal Security today detailed insights into multilingual business email compromise (BEC) attacks in a report, and insights into two actors; Midnight Hedgehog and Mandarin Capybara, who launch these campaigns in multiple languages concurrently.

Multilingual BEC attacks, and how they happen.

BEC attacks may be somewhat less prevalent than their phishing and identity theft counterparts, Abnormal Security researchers say, but the availability, affordability, and accessibility of software and technology lower the barrier to entry in targeted multiple-language attacks. Such attacks use common sales and marketing online services for malicious purposes. “Using these resources, BEC actors tend to collect target contact information—referred to as ‘leads’—within a certain geographic area, usually a single country or state,” the research states. Google Translate doesn’t hurt either. While it’s not flawless, it is free, and allows for quick translation and turnaround to victims of varying tongues.

Midnight Hedgehog: a purveyor of payment fraud.

Midnight Hedgehog, one example of a multilingual BEC threat actor, has been observed impersonating company executives such as CEOs to employees in hopes of deceiving them into making payments for fake services. Midnight Hedgehog researches the relationship between the targeted employee and the executive the actor is impersonating to make the connection more convincing and believable. “To date, we’ve observed two versions of Midnight Hedgehog’s initial emails written in 11 languages: Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Spanish, and Swedish,” the research discloses. Webmail providers Gmail, Yandex, Earthlink, and, and domains registered with NameCheap or GoDaddy have been observed in use by the group. Researchers say the gang seems to be spread across many locations, including England, Canada, the United States, and Nigeria.

Mandarin Capybara: a payroll diverter.

Mandarin Capybara threat actors share the same starting point as Midnight Hedgehog–company executive impersonation–but the method they use to get the money is different. Rather than directly communicating with an employee to encourage payment for a bogus service, the threat actors target HR professionals with payroll diversions. The threat actors impersonate an executive, and ask HR professionals to change the impersonated executive’s direct deposit information to an account belonging to the group. “We’ve observed the group target American and Australian companies in English, Canadian organizations in French, and European companies in eight languages: Dutch, French, German, Italian, Polish, Portuguese, Spanish, and Swedish,” the researchers recounted.