Government security

PhantomEnigma campaign hijacks Brazilian government websites for malware delivery

Privacy concept: pixelated words Malware on digital background, 3d render

More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign discovered by ANY.RUN, according to The Hacker News.

The PhantomEnigma campaign has evolved, shifting from banking-focused attacks in 2025 to leveraging compromised .gov.br websites and authenticated emails in 2026. This strategy allows attackers to use trusted government infrastructure as a lure, bypassing initial security checks. The campaign begins with fake police-themed documents or digital power of attorney notices, some containing QR codes or links to lookalike government resources. Emails are often sent through compromised mailboxes, passing SPF, DKIM, and DMARC authentication, enhancing their legitimacy. Victims are then redirected through compromised government hosts or police-themed domains to a malicious installer. This installer deploys a modular Inno/Node.js backdoor, often hidden within patched legitimate applications like Electron or Boostnote.

The backdoor collects system information, establishes persistence, and communicates with rotating command-and-control infrastructure. It can execute JavaScript and download additional payloads, including stealers, loaders, and remote management tools. This modularity makes detection and containment difficult, posing a significant risk to banks and public agencies by enabling credential compromise, unauthorized access, fraud, and data exposure.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds