Hijacked 20+ Brazilian Websites

Overview

Researchers at ANY.RUN have uncovered a large‑scale PhantomEnigma campaign that hijacked more than 20 Brazilian government websites to deliver malware. By exploiting trusted .gov.br domains and authenticated emails, attackers created a stealthy infection chain that put banks and public agencies at risk.

How Trusted Infrastructure Became the Lure

The campaign began with fake police‑themed documents — “Ofício Polícia Civil” or “Procuração Digital” notices — often containing QR codes or links.

  • Emails were sent through compromised mailboxes, passing SPF, DKIM, and DMARC checks, making them appear legitimate.
  • Victims were redirected through compromised government portals or lookalike domains before reaching the malicious installer.
  • Examples of hijacked hosts include:
    • timon.ma.gov.br
    • loginam.sesp.es.gov.br (public security)
    • aplicacao.cbm.mt.gov.br (fire department)
    • prodoc.ap.gov.br

By abusing trusted infrastructure, attackers lowered suspicion and increased infection success rates.

PhantomEnigma’s Evolution

The campaign evolved along two paths:

  • Delivery — shifted from banking‑focused lures in 2025 to compromised government websites and email accounts in 2026.
  • Arsenal — upgraded from a browser‑extension banker to a modular Inno/Node.js backdoor capable of executing JavaScript and delivering additional payloads.

This combination created a visibility gap: trusted infrastructure masked malicious activity, while modular payloads allowed attackers to change tactics after infection.

The Attack Chain

  1. Phishing email — fake police or official document lure.
  2. Trusted infrastructure — redirect through compromised .gov.br host.
  3. Malicious installer — Inno Setup, MSI, or patched Electron app.
  4. Backdoor activation — modular index.js implant collects system data and establishes persistence.
  5. Second‑stage delivery — executes JavaScript or delivers stealers, loaders, RMM tools, and other malware.
  6. Business impact — credential theft, unauthorized access, fraud, and operational disruption.

Backdoor Capabilities

The LabubaRAT‑style backdoor uncovered inside patched applications could:

  • Collect system details (computer name, username, hardware).
  • Establish persistence via login settings.
  • Execute JavaScript directly through eval().
  • Download and launch payloads on demand.
  • Communicate with rotating C2 infrastructure every 180 seconds.

This modular design allowed attackers to swap payloads dynamically, complicating detection and containment.

Defensive Recommendations

For banks and public agencies, PhantomEnigma highlights the danger of trusted infrastructure abuse. CISA‑style guidance applies here:

  • Patch and harden government portals to prevent hijacking.
  • Monitor outbound traffic for browser‑spoofed User‑Agents, WebView2 requests, and high‑entropy DNS queries.
  • Investigate suspicious official‑looking emails beyond initial verdicts.
  • Provide employees safe reporting channels for suspicious messages.
  • Hunt for intrusion artifacts before rotating IIS machine keys or resetting credentials.

Expert in the Cloud Insight

PhantomEnigma demonstrates how attackers weaponize trust itself — hijacking government domains and authenticated emails to bypass suspicion. For defenders, the lesson is urgent: traditional phishing detection is not enough when the lure comes from trusted infrastructure. Behavioral analysis, sandboxing, and continuous threat hunting are now essential to protect financial and public‑sector organizations.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.