PhantomEnigma Campaign Hijacks Brazilian Government Websites for Malware Distribution
Over 20 Brazilian government websites were compromised and weaponized by the PhantomEnigma threat actor to distribute malware, leveraging trusted infrastructure to evade detection.

Researchers have uncovered a sophisticated and evolving cyber campaign, dubbed PhantomEnigma, that has compromised over 20 Brazilian government websites, transforming them into channels for distributing malware. The operation, detailed by ANY.RUN, highlights a concerning trend of threat actors exploiting trusted government infrastructure to lure victims and deploy malicious payloads.
The campaign initially lures victims with deceptive, police-themed documents presented as official notices, such as "Ofício Polícia Civil" or "Procuração Digital." These documents either contain QR codes or direct users to links that mimic legitimate government resources. In a particularly insidious tactic, some phishing emails were sent through already compromised government mailboxes, successfully passing SPF, DKIM, and DMARC authentication checks, thereby appearing highly legitimate and bypassing standard email security filters.
Victims who clicked on these links were then redirected through compromised .gov.br hosts or meticulously crafted police-themed lookalike domains before reaching the malicious installer. This strategy effectively uses government systems as a trusted intermediary for delivery, rather than as the ultimate target. Among the compromised government portals identified were timon.ma.gov[.]br, loginam.sesp.es.gov[.]br, and aplicacao.cbm.mt.gov[.]br, with several appearing across multiple attack vectors, aiding researchers in connecting disparate activity.
PhantomEnigma has demonstrated a notable evolution in its tactics. While previously focused on banking-related threats in 2025, the campaign shifted in 2026 to leverage compromised .gov.br websites and email accounts, providing a more trusted delivery route without necessarily indicating a new target demographic. Concurrently, its malware arsenal has transformed from a simple browser-extension banker into a modular Inno/Node.js backdoor.
This evolved backdoor is capable of executing JavaScript and delivering additional payloads, making detection and containment significantly more challenging. The modular design allows attackers to alter the final payload without rebuilding the entire infection chain. This means a system infected by the same initial installer could later receive a stealer, loader, remote management tool, or other malware, complicating security efforts.
The infection chain begins with the phishing email, progresses through the trusted infrastructure redirection, and culminates in the execution of a malicious installer. This installer often contains a patched Electron application that loads a malicious index.js backdoor. Once active, this backdoor collects system data, establishes persistence, and communicates with rotating command-and-control (C2) infrastructure.
Once activated, the backdoor can collect victim system details, create a persistent machine ID, establish persistence via login settings, and check for new commands every 180 seconds. It can execute JavaScript directly, download and launch executable payloads, and communicate using multiple beacon formats across dynamic infrastructure. This flexibility allows attackers to adapt their objectives post-infection.
The PhantomEnigma campaign serves as a stark warning, particularly for banks and public sector organizations. By weaponizing trusted infrastructure, attackers can significantly lower victim suspicion. The ability to deploy modular payloads means that a single initial compromise can lead to diverse malicious outcomes, ranging from credential theft and unauthorized access to data exposure and operational disruption, underscoring the need for robust behavioral analysis and continuous threat hunting.