Cybersecurity experts from Positive Technologies’ Security Expert Center have uncovered a sophisticated malicious campaign dubbed “Phantom Enigma,” primarily targeting Brazilian residents while also affecting organizations worldwide.
This campaign employs a dual-attack strategy, utilizing malicious browser extensions for Google Chrome, Microsoft Edge, and Brave, alongside Remote Access Tools (RATs) like Mesh Agent and PDQ Connect Agent.
Phantom Enigma Campaign Targets Brazilian Users
The primary objective appears to be the theft of sensitive authentication data, particularly from Banco do Brasil users, through phishing emails disguised as invoices that lure victims into downloading malicious files or clicking on deceptive links.
The technical intricacy of this attack lies in its use of PowerShell and BAT scripts to install extensions that intercept user credentials during login attempts, alongside RATs that enable broader infrastructure compromise.
The attack chain begins with phishing emails, often sent from compromised company servers to increase legitimacy, directing victims to download files from suspicious domains or open malicious attachments in archives.
These files, delivered as BAT scripts, Windows Installers (MSI), or Inno Setup installers, execute a sequence of actions to ensure persistence and evade detection.
For instance, PowerShell scripts disable User Account Control (UAC) by altering registry values and check for virtualization environments to avoid sandbox detection.
They also target the Warsaw Technology service a security feature used by Brazilian banks to confirm the victim’s location before proceeding.
Global Impact and Infrastructure
Once installed, the malicious extensions, identified by identifiers like “nplfchpahihleeejpjmodggckakhglee,” harvest login data and transmit it to command-and-control (C2) servers such as financial-executive.com and clientepj.com.
Simultaneously, RATs like Mesh Agent connect to servers like mesh.computadorpj.com, allowing attackers to spread across infected networks, compromising entire organizational infrastructures.
Further investigation revealed an open directory on the attackers’ servers, exposing auxiliary scripts and victim data, including a list of 70 unique compromised companies whose servers were used to distribute phishing emails.
The extensions were downloaded over 722 times from the Chrome Web Store before being removed, impacting users not only in Brazil but also in Colombia, Czech Republic, Mexico, Russia, Vietnam, and beyond.
Network analysis identified multiple malicious domains and IP addresses, such as 142.54.185.178 and computadorpj.com, linked through TLS certificates and metadata from installer files.
The use of German and Portuguese variable names in the code hints at the attackers’ potential origins or borrowed codebases, adding a layer of mystery to their identity.
This campaign’s blend of browser-based espionage and RAT-driven network infiltration underscores a growing trend of multi-vector attacks aimed at maximizing victim reach and data theft.
Positive Technologies continues to monitor this threat, warning of potential large-scale attacks in the future and urging users to scrutinize email attachments and monitor browser extensions for unusual behavior.
Indicators of Compromise (IOCs)
| Type | Indicator |
|---|---|
| IP Address | 18.231.162.77, 107.174.231.26, 142.54.185.178, 54.207.88.51 |
| Domain | atual2025.com, clientepj.com, computadorpj.com, financial-executive.com |
| Browser Extension ID | nplfchpahihleeejpjmodggckakhglee, ckkjdiimhlanonhceggkfjlmjnenpmfm |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
