Over 20 Brazilian Government Websites Hijacked in PhantomEnigma Malware Campaign

A recent investigation has uncovered that more than 20 Brazilian government websites have been compromised and repurposed to distribute malware as part of the ongoing PhantomEnigma campaign. This operation poses significant risks to both public agencies and financial institutions.

The attackers initiated their scheme by sending fraudulent emails that appeared to be official communications from law enforcement agencies. These emails, often titled “Ofício Polícia Civil” or “Procuração Digital,” included QR codes or links that seemed to direct recipients to legitimate government resources. In some instances, the emails were dispatched from compromised government email accounts, allowing them to pass authentication checks such as SPF, DKIM, and DMARC. This lent an air of credibility to the malicious messages, making them more convincing to recipients.

Upon interacting with the links or QR codes, victims were redirected through compromised .gov.br domains or domains mimicking police websites before ultimately reaching the malicious payload. Notable compromised government domains used in this redirection process included timon.ma.gov.br, loginam.sesp.es.gov.br, aplicacao.cbm.mt.gov.br, and prodoc.ap.gov.br. These legitimate municipal and public security portals were exploited at various stages of the malware delivery chain, serving as trusted conduits to deceive victims.

The PhantomEnigma campaign has evolved significantly over time. Initially, in 2025, the operation focused on banking-related activities. By 2026, the attackers had shifted to leveraging compromised government websites and email accounts to enhance the trustworthiness of their attacks. Concurrently, the malware itself has transformed from a simple browser-extension banker into a more sophisticated modular backdoor built with Inno Setup and Node.js. This advanced malware is capable of executing JavaScript and delivering additional payloads, increasing its versatility and effectiveness.

The attack chain employed by PhantomEnigma is multifaceted:

  1. A phishing email, disguised as an official document or police notice, is sent to the target.

  2. The email contains a link or QR code that redirects the victim through a compromised government website or a domain designed to mimic a police website.

  3. The victim is then led to download and execute a malicious installer, initiating the malware infection.

This method of using trusted government infrastructure as a delivery mechanism makes the campaign particularly insidious. It underscores the importance of continuous monitoring and behavioral analysis in cybersecurity, as traditional static defenses may be insufficient against such evolving threats.

The PhantomEnigma campaign highlights the critical need for robust cybersecurity measures within government institutions. The exploitation of trusted government domains not only facilitates the spread of malware but also erodes public trust in official digital communications. To mitigate such risks, it is imperative for organizations to implement comprehensive security protocols, conduct regular audits of their digital assets, and educate employees and the public about recognizing and responding to phishing attempts.