Overview
Researchers at ANY.RUN have uncovered a large‑scale PhantomEnigma campaign that hijacked more than 20 Brazilian government websites to deliver malware. By exploiting trusted .gov.br domains and authenticated emails, attackers created a stealthy infection chain that put banks and public agencies at risk.
How Trusted Infrastructure Became the Lure
The campaign began with fake police‑themed documents — “Ofício Polícia Civil” or “Procuração Digital” notices — often containing QR codes or links.
- Emails were sent through compromised mailboxes, passing SPF, DKIM, and DMARC checks, making them appear legitimate.
- Victims were redirected through compromised government portals or lookalike domains before reaching the malicious installer.
- Examples of hijacked hosts include:
- timon.ma.gov.br
- loginam.sesp.es.gov.br (public security)
- aplicacao.cbm.mt.gov.br (fire department)
- prodoc.ap.gov.br
By abusing trusted infrastructure, attackers lowered suspicion and increased infection success rates.
PhantomEnigma’s Evolution
The campaign evolved along two paths:
- Delivery — shifted from banking‑focused lures in 2025 to compromised government websites and email accounts in 2026.
- Arsenal — upgraded from a browser‑extension banker to a modular Inno/Node.js backdoor capable of executing JavaScript and delivering additional payloads.
This combination created a visibility gap: trusted infrastructure masked malicious activity, while modular payloads allowed attackers to change tactics after infection.
The Attack Chain
- Phishing email — fake police or official document lure.
- Trusted infrastructure — redirect through compromised
.gov.brhost. - Malicious installer — Inno Setup, MSI, or patched Electron app.
- Backdoor activation — modular
index.jsimplant collects system data and establishes persistence. - Second‑stage delivery — executes JavaScript or delivers stealers, loaders, RMM tools, and other malware.
- Business impact — credential theft, unauthorized access, fraud, and operational disruption.
Backdoor Capabilities
The LabubaRAT‑style backdoor uncovered inside patched applications could:
- Collect system details (computer name, username, hardware).
- Establish persistence via login settings.
- Execute JavaScript directly through
eval(). - Download and launch payloads on demand.
- Communicate with rotating C2 infrastructure every 180 seconds.
This modular design allowed attackers to swap payloads dynamically, complicating detection and containment.
Defensive Recommendations
For banks and public agencies, PhantomEnigma highlights the danger of trusted infrastructure abuse. CISA‑style guidance applies here:
- Patch and harden government portals to prevent hijacking.
- Monitor outbound traffic for browser‑spoofed User‑Agents, WebView2 requests, and high‑entropy DNS queries.
- Investigate suspicious official‑looking emails beyond initial verdicts.
- Provide employees safe reporting channels for suspicious messages.
- Hunt for intrusion artifacts before rotating IIS machine keys or resetting credentials.
Expert in the Cloud Insight
PhantomEnigma demonstrates how attackers weaponize trust itself — hijacking government domains and authenticated emails to bypass suspicion. For defenders, the lesson is urgent: traditional phishing detection is not enough when the lure comes from trusted infrastructure. Behavioral analysis, sandboxing, and continuous threat hunting are now essential to protect financial and public‑sector organizations.
Leave a Reply