20+ Hijacked Government Websites Became an Attack Channel
20+ Brazilian government websites hijacked as malware delivery channels in PhantomEnigma campaign.
Summary
Researchers at ANY.RUN uncovered an active PhantomEnigma campaign that compromised over 20 Brazilian government websites (.gov.br) to distribute malware and conduct phishing attacks. The campaign evolved from banking-focused attacks in 2025 to abusing trusted government infrastructure in 2026, using fake police-themed documents and hijacked email accounts that passed authentication checks. The malware evolved from a browser-extension banker to a modular Inno/Node.js backdoor capable of executing JavaScript and delivering additional payloads, targeting banks and public agencies.
Full text
20+ Hijacked Government Websites Became an Attack Channel The Hacker NewsJul 16, 2026Malware / Endpoint Security More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions. The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign putting banks and public agencies at risk. By connecting hundreds of seemingly unrelated sandbox sessions, ANY.RUN researchers exposed the operation’s broader scope and showed how trusted .gov.br links and authenticated emails helped the activity remain hidden. For the complete technical analysis, infrastructure details, indicators, and detection guidance, read the full PhantomEnigma investigation report Trusted Government Infrastructure Became the Lure The attack began with fake police-themed documents presented as official “Ofício Polícia Civil” or “Procuração Digital” notices. Some contained QR codes, while others directed recipients to links designed to look like legitimate government resources. Fake police-themed document analyzed inside ANY.RUN sandbox for full visibility into PhantomEnigma attack In several cases, the emails were sent through compromised mailboxes and passed SPF, DKIM, and DMARC checks. That gave the messages a stronger appearance of legitimacy than ordinary spoofed phishing emails. Victims were then redirected through compromised .gov.br hosts or police-themed lookalike domains before reaching the malicious installer. The government systems were used as trusted delivery infrastructure, not necessarily as the final targets of the campaign. Observed Government Hosts Among the compromised systems observed during the investigation were timon.ma.gov[.]br, loginam.sesp.es.gov[.]br (state public security), aplicacao.cbm.mt.gov[.]br (fire department), prodoc.ap.gov[.]br, and others. TI Lookup query that involves compromised government hosts These legitimate municipal, public-security, and judicial portals were used at different stages of the delivery chain. Several also appeared across more than one PhantomEnigma attack arm, helping researchers connect activity that initially looked unrelated. PhantomEnigma’s Evolution: Two Paths to Harder Detection Timeline of PhantomEnigma’s malisious activity The timeline shows one operation evolving along two main paths: Delivery: PhantomEnigma moved from banking-focused activity in 2025 to abusing compromised .gov.br websites and email accounts in 2026. This gave the campaign a more trusted route to victims without confirming a new target group. Arsenal: The malware evolved from a browser-extension banker into a modular Inno/Node.js backdoor capable of executing JavaScript and delivering additional payloads. For security teams, this combination creates a serious visibility gap. Trusted infrastructure reduces suspicion, modular payloads can change after infection, and rotating C2 domains quickly make static blocklists outdated. Behavioral analysis and continuous threat hunting provide more reliable coverage as the campaign evolves. From Trusted Email to Full Compromise: The PhantomEnigma Attack Chain The analysis process of PhantomEnigma inside interactive sandbox Once a victim engaged with the lure, the campaign moved through a multi-stage infection chain: Phishing email: A fake police-themed or official-document lure reaches the victim. Trusted infrastructure: The link redirects through a compromised government host or police-themed lookalike domain. Malicious installer: An Inno Setup, MSI, or another installer starts the infection. Patched Electron application: Legitimate software loads a malicious index.js backdoor. Backdoor activation: The malware collects system data, establishes persistence, and connects to rotating C2 infrastructure. Second-stage delivery: The backdoor executes JavaScript or delivers stealers, loaders, RMM software, and other malware. Business impact: The infection can lead to credential compromise, unauthorized access, fraud, data exposure, and operational disruption. What Researchers Found Inside PhantomEnigma’s Backdoor The sandbox sessions exposed more than a simple downloader. Hidden inside a patched Boostnote and other applications was a modular index.js backdoor built to identify infected machines, maintain access, and deliver different payloads on demand. Once activated, the backdoor could: Collect the victim’s computer name, username, and system details Create a persistent machine ID and read a campaign tag stored beside the installer Establish persistence through login settings Check for new commands every 180 seconds Execute JavaScript directly through eval() Download and launch executable payloads Communicate through multiple beacon formats across rotating infrastructure This modular design allows the operator to change the final payload without rebuilding the entire infection chain. A system initially exposed to the same installer could later receive a stealer, loader, remote management tool, or another executable, making both detection and containment more difficult. A Warning for Banks and Public Agencies PhantomEnigma shows how attackers can turn trusted infrastructure into a detection advantage. A legitimate government domain, authenticated email, or clean file verdict may lower suspicion even when the infection chain is already active. For banks and public-sector organizations, the risk extends beyond one compromised endpoint. Stolen credentials and persistent backdoor access can expose internal systems, sensitive data, and financial operations, while fragmented alerts delay containment. Security teams should give employees a safe way to report suspicious official-looking messages and investigate them beyond the initial verdict. Catching the trusted lure early can prevent credential theft, additional payload delivery, and a wider operational incident. Get PhantomEnigma IOCs, infrastructure findings, and detection guidance to strengthen threat hunting and response. Access Full Report Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE Backdoor, banking security, Credential Theft, Cybercrime, email security, endpoint security, Government security, Malware, Phishing, Website Security ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Di
Indicators of Compromise
- domain — timon.ma.gov.br
- domain — loginam.sesp.es.gov.br
- domain — aplicacao.cbm.mt.gov.br
- domain — prodoc.ap.gov.br
- malware — PhantomEnigma