20+ Hijacked Government Websites Became
an Attack Channel

The Hacker NewsJul 16, 2026Malware / Endpoint Security

More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.

20+ Hijacked Government Websites Became
an Attack Channel

20+ Hijacked Government Websites Became
an Attack Channel

The Hacker NewsJul 16, 2026Malware / Endpoint Security

20+ Hijacked Government Websites Became
an Attack Channel

More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions.

The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign putting banks and public agencies at risk.

By connecting hundreds of seemingly unrelated sandbox sessions, ANY.RUN researchers exposed the operation’s broader scope and showed how trusted .gov.br links and authenticated emails helped the activity remain hidden.

For the complete technical analysis, infrastructure details, indicators, and detection guidance, read the full PhantomEnigma investigation report

Trusted Government Infrastructure Became the Lure

The attack began with fake police-themed documents presented as official “Ofício Polícia Civil” or “Procuração Digital” notices. Some contained QR codes, while others directed recipients to links designed to look like legitimate government resources.

Fake police-themed document analyzed inside ANY.RUN sandbox for full visibility into PhantomEnigma attack

In several cases, the emails were sent through compromised mailboxes and passed SPF, DKIM, and DMARC checks. That gave the messages a stronger appearance of legitimacy than ordinary spoofed phishing emails.

Victims were then redirected through compromised .gov.br hosts or police-themed lookalike domains before reaching the malicious installer. The government systems were used as trusted delivery infrastructure, not necessarily as the final targets of the campaign.

Observed Government Hosts

Among the compromised systems observed during the investigation were timon.ma.gov[.]br, loginam.sesp.es.gov[.]br (state public security), aplicacao.cbm.mt.gov[.]br (fire department), prodoc.ap.gov[.]br, and others.

TI Lookup query that involves compromised government hosts

These legitimate municipal, public-security, and judicial portals were used at different stages of the delivery chain. Several also appeared across more than one PhantomEnigma attack arm, helping researchers connect activity that initially looked unrelated.

PhantomEnigma’s Evolution: Two Paths to Harder Detection

Timeline of PhantomEnigma’s malisious activity

The timeline shows one operation evolving along two main paths:

Delivery: PhantomEnigma moved from banking-focused activity in 2025 to abusing compromised .gov.br websites and email accounts in 2026. This gave the campaign a more trusted route to victims without confirming a new target group.

Arsenal: The malware evolved from a browser-extension banker into a modular Inno/Node.js backdoor capable of executing JavaScript and delivering additional payloads.

For security teams, this combination creates a serious visibility gap. Trusted infrastructure reduces suspicion, modular payloads can change after infection, and rotating C2 domains quickly make static blocklists outdated. Behavioral analysis and continuous threat hunting provide more reliable coverage as the campaign evolves.

From Trusted Email to Full Compromise: The PhantomEnigma Attack Chain

The analysis process of PhantomEnigma inside interactive sandbox

Once a victim engaged with the lure, the campaign moved through a multi-stage infection chain:

  1. Phishing email: A fake police-themed or official-document lure reaches the victim.
  2. Trusted infrastructure: The link redirects through a compromised government host or police-themed lookalike domain.
  3. Malicious installer: An Inno Setup, MSI, or another installer starts the infection.
  4. Patched Electron application: Legitimate software loads a malicious index.js backdoor.
  5. Backdoor activation: The malware collects system data, establishes persistence, and connects to rotating C2 infrastructure.
  6. Second-stage delivery: The backdoor executes JavaScript or delivers stealers, loaders, RMM software, and other malware.
  7. Business impact: The infection can lead to credential compromise, unauthorized access, fraud, data exposure, and operational disruption.

What Researchers Found Inside PhantomEnigma’s Backdoor

The sandbox sessions exposed more than a simple downloader. Hidden inside a patched Boostnote and other applications was a modular index.js backdoor built to identify infected machines, maintain access, and deliver different payloads on demand.

Once activated, the backdoor could:

  • Collect the victim’s computer name, username, and system details
  • Create a persistent machine ID and read a campaign tag stored beside the installer
  • Establish persistence through login settings
  • Check for new commands every 180 seconds
  • Execute JavaScript directly through eval()
  • Download and launch executable payloads
  • Communicate through multiple beacon formats across rotating infrastructure

This modular design allows the operator to change the final payload without rebuilding the entire infection chain. A system initially exposed to the same installer could later receive a stealer, loader, remote management tool, or another executable, making both detection and containment more difficult.

A Warning for Banks and Public Agencies

PhantomEnigma shows how attackers can turn trusted infrastructure into a detection advantage. A legitimate government domain, authenticated email, or clean file verdict may lower suspicion even when the infection chain is already active.

For banks and public-sector organizations, the risk extends beyond one compromised endpoint. Stolen credentials and persistent backdoor access can expose internal systems, sensitive data, and financial operations, while fragmented alerts delay containment.

Security teams should give employees a safe way to report suspicious official-looking messages and investigate them beyond the initial verdict. Catching the trusted lure early can prevent credential theft, additional payload delivery, and a wider operational incident.

Get PhantomEnigma IOCs, infrastructure findings, and detection guidance to strengthen threat hunting and response.

Access Full Report

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

About Author

What do you feel about this?

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.