Google reports that North Korean government-backed actors have accounted for roughly one third of government-backed phishing activity targeting Brazil since 2020. The DPRK-linked targeting focused on Brazilian government entities and the aerospace, technology, financial services, cryptocurrency, and fintech sectors. PUKCHONG (UNC4899) used social media contact, cryptocurrency job lures, benign PDFs, and a trojanized GitHub-hosted Python app that could retrieve a second-stage payload from attacker-controlled infrastructure. PAEKTUSAN used aerospace recruiter impersonation and malicious DOCX job lures that dropped the C++ AGAMEMNON downloader, while PRONTO used diplomatic phishing themes and fake PDF-viewer credential harvesting. The Brazil activity shows DPRK operators applying familiar cryptocurrency, Dream Job, and diplomatic phishing tradecraft against a rising regional power and its high-value industries.