More than 20 Brazilian government websites were hijacked as part of an active PhantomEnigma campaign, presenting significant risks to banks and public agencies. The attacks utilized spoofed emails and compromised government domains, allowing malware to be delivered under the guise of trusted infrastructure.
ANY.RUN uncovered that over 20 Brazilian government websites were hijacked and turned into channels for malware delivery in an active campaign linked to PhantomEnigma. This alarming discovery highlights the increasing risks posed to sensitive entities such as banks and public agencies.
The attackers utilized fake police-themed documents, including 'Ofício Polícia Civil' notices and 'Procuração Digital' notices, to deceive victims. Some of these documents contained QR codes while others included links that mimicked legitimate government resources.
Emails were sent from compromised mailboxes and successfully passed SPF, DKIM, and DMARC checks. This allowed them to appear more legitimate than typical phishing emails, increasing the chances of victim engagement.
Compromised systems included several government portals such as timon.ma.gov.br and loginam.sesp.es.gov.br. These sites facilitated the delivery of malware rather than being the final targets of the attacks, leveraging their trusted status for undetected access.
The PhantomEnigma campaign exhibited an evolution in its approach, transitioning from banking-focused activities to exploitation of established government infrastructure. This evolution presents a better delivery mechanism without the need for identifying new target groups.
✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors — check the original sources. How BrevFeed works →
More than 20 Brazilian government websites were hijacked as part of an active PhantomEnigma campaign, presenting significant risks to banks and public agencies. The attacks utilized spoofed emails and compromised government domains, allowing malware to be delivered under the guise of trusted infrastructure.