More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign discovered by ANY.RUN, according to The Hacker News.The PhantomEnigma campaign has evolved, shifting from banking-focused attacks in 2025 to leveraging compromised .gov.br websites and authenticated emails in 2026. This strategy allows attackers to use trusted government infrastructure as a lure, bypassing initial security checks. The campaign begins with fake police-themed documents or digital power of attorney notices, some containing QR codes or links to lookalike government resources. Emails are often sent through compromised mailboxes, passing SPF, DKIM, and DMARC authentication, enhancing their legitimacy. Victims are then redirected through compromised government hosts or police-themed domains to a malicious installer. This installer deploys a modular Inno/Node.js backdoor, often hidden within patched legitimate applications like Electron or Boostnote.The backdoor collects system information, establishes persistence, and communicates with rotating command-and-control infrastructure. It can execute JavaScript and download additional payloads, including stealers, loaders, and remote management tools. This modularity makes detection and containment difficult, posing a significant risk to banks and public agencies by enabling credential compromise, unauthorized access, fraud, and data exposure.Source: The Hacker News
Government security
PhantomEnigma campaign hijacks Brazilian government websites for malware delivery

(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



