Full Report
More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions. The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign
Analysis Summary
# Incident Report: PhantomEnigma Campaign Targeting Brazilian Government Infrastructure
## Executive Summary
The PhantomEnigma campaign hijacked over 20 Brazilian government (.gov.br) websites and compromised official email accounts to distribute a modular Node.js backdoor. By leveraging trusted infrastructure and bypassing email authentication (SPF/DKIM), the attackers effectively distributed malware disguised as official police and judicial documents. The campaign represents a significant evolution from banking-focused fraud to a sophisticated multi-stage infection chain capable of credential theft and remote system control.
## Incident Details
- **Discovery Date:** July 16, 2026 (Public disclosure)
- **Incident Date:** Continuous; evolved from 2025 activity into a major 2026 campaign.
- **Affected Organization:** Over 20 Brazilian public agencies (Municipal, Public Security, and Judicial portals).
- **Sector:** Government / Public Sector
- **Geography:** Brazil
## Timeline of Events
### Initial Access
- **Date/Time:** 2026 (Active Campaign)
- **Vector:** Phishing via compromised mailboxes and hijacked website redirects.
- **Details:** Attackers sent "official" police-themed notices (e.g., “Ofício Polícia Civil”) containing QR codes or malicious links. Emails passed SPF, DKIM, and DMARC checks because they originated from compromised legitimate accounts.
### Lateral Movement
- **Details:** The campaign leveraged compromised .gov.br hosts (e.g., timon.ma.gov[.]br, prodoc.ap.gov[.]br) as hops in the delivery chain to host malicious installers and redirect traffic, using the inherent trust of government domains to bypass security filters.
### Data Exfiltration/Impact
- **Details:** The ultimate goal included banking fraud, credential theft, and full system takeover. The modular backdoor allowed for the delivery of second-stage payloads such as stealers, loaders, and Remote Monitoring and Management (RMM) software.
### Detection & Response
- **Discovery:** Uncovered by ANY.RUN researchers through behavioral analysis of hundreds of seemingly unrelated sandbox sessions.
- **Response:** Investigation linked multiple "attack arms" through shared infrastructure and common compromised government hosts.
## Attack Methodology
- **Initial Access:** Phishing (official lures) and use of hijacked trusted government domains.
- **Persistence:** Inno Setup/MSI installers; patching legitimate Electron applications (e.g., Boostnote) to load malicious `index.js`.
- **Defense Evasion:** Use of legitimate .gov.br links; authenticated emails; modular payloads; rotating C2 domains to evade static blocklists.
- **Discovery:** Backdoor collects system data upon activation.
- **Lateral Movement:** Specifically uses trusted municipal and security portals to pivot delivery to new victims.
- **Collection:** System information and potentially banking/credential data.
- **Exfiltration:** Communication with rotating C2 infrastructure via a Node.js backdoor.
- **Impact:** Fraud, data exposure, and operational disruption of public agencies and banks.
## Impact Assessment
- **Financial:** High risk to banking institutions and citizens due to the malware's evolution from a banking trojan.
- **Data Breach:** Exposure of system metadata; potential for mass credential theft.
- **Operational:** Disruption of over 20 government portals used for public services.
- **Reputational:** Significant damage to the perceived security and trustworthiness of the .gov.br domain extension.
## Indicators of Compromise (Defanged)
- **Network Indicators:**
- timon.ma.gov[.]br
- loginam.sesp.es.gov[.]br
- aplicacao.cbm.mt.gov[.]br
- prodoc.ap.gov[.]br
- **File Indicators:**
- `index.js` (Malicious backdoor script)
- Patched Boostnote application
- "Ofício Polícia Civil" lures (PDF/DOCX)
- **Behavioral Indicators:**
- Legitimate Electron applications spawning suspicious JavaScript processes.
- Official government emails containing redirects to unofficial "police-themed" lookalike domains.
## Response Actions
- **Containment:** Identification of compromised government hosts to facilitate cleanup by Brazilian authorities.
- **Eradication:** Analysis of C2 rotation patterns to assist in network-level blocking.
- **Recovery:** Public disclosure of the infection chain to alert banks and public agencies.
## Lessons Learned
- **Email Authenticity is not Integrity:** Messages passing SPF/DKIM/DMARC can still be malicious if the sender's account is compromised.
- **Domain Trust Exploitation:** Threat actors are increasingly using the "reputation" of government domains to bypass automated URL filters.
- **Static Defenses are Insufficient:** Rotating C2s and modular payloads require behavioral analysis and continuous threat hunting.
## Recommendations
1. **Implement Zero Trust for Downloads:** Even if a link originates from a .gov domain, treat executable downloads with high suspicion.
2. **Enhanced Endpoint Monitoring:** Monitor Electron-based applications for unauthorized changes to their `index.js` or unexpected network connections.
3. **Institutional Cleanup:** Government agencies should audit all public-facing portals for unauthorized redirects or hosted files.
4. **User Training:** Educate employees to verify "police" or "official" notices via independent channels before clicking links or scanning QR codes.