Skip to main content
Emerging ThreatsMalware & Ransomware

PhantomEnigma Campaign Exploits Hijacked Government Sites

Government building interior with laptop showing a website, hinting at vulnerability.

More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign, according to an investigation by ANY.RUN.

PhantomEnigma: a multi-arm operation revealed

ANY.RUN’s analysis connected hundreds of sandbox sessions and showed that PhantomEnigma is not a single, simple downloader but a multi-stage, multi-arm operation. The investigation exposed previously undocumented backdoor behavior, hidden infrastructure relationships, and a campaign architecture that repurposes trusted government infrastructure as a delivery mechanism. That reuse of trusted links and authenticated email accounts helped the activity remain concealed inside otherwise normal traffic.

Compromised .gov.br hosts and police-themed lures

The attackers began with police-themed document lures — files labeled as “Ofício Polícia Civil” or “Procuração Digital,” some embedding QR codes and some pointing to links that mimicked legitimate government resources. In several cases emails were sent from compromised mailboxes and passed SPF, DKIM, and DMARC checks, giving recipients an elevated appearance of legitimacy compared with ordinary spoofed phishing.

Victims were redirected through compromised municipal, public-security, and judicial portals before reaching the malicious installer. Observed hosts included timon.ma.gov[.]br, loginam.sesp.es.gov[.]br (state public security), aplicacao.cbm.mt.gov[.]br (fire department), prodoc.ap.gov[.]br and others. Several of these legitimate portals appeared across more than one PhantomEnigma attack arm, allowing researchers to link activity that at first looked unrelated.

Infection chain and the modular index.js backdoor

ANY.RUN documented a consistent infection chain that moves from trusted email to full compromise:

  • Phishing email carrying a police-themed or official-document lure;
  • Redirection through a compromised government host or a police-themed lookalike domain;
  • Malicious installer delivered as an Inno Setup, MSI, or similar package;
  • A patched Electron application (for example, Boostnote) loading a malicious index.js backdoor;
  • Backdoor activation: collection of system data, persistence, and connection to rotating C2 infrastructure;
  • Second-stage delivery where the backdoor executes JavaScript or installs stealers, loaders, RMM software, or other payloads;
  • Business-impact outcomes including credential compromise, unauthorized access, fraud, data exposure, and operational disruption.

Inside patched Boostnote and other legitimate applications, researchers found a modular index.js backdoor designed to identify infected hosts, maintain access, and deliver follow-on payloads on demand. That backdoor can collect computer name, username, and system details; create a persistent machine ID and read a campaign tag stored beside the installer; establish persistence through login settings; check for new commands every 180 seconds; execute JavaScript via eval(); download and launch executable payloads; and communicate using multiple beacon formats across rotating infrastructure.

PhantomEnigma’s evolution: delivery and arsenal

ANY.RUN traces PhantomEnigma along two converging evolutions. On the delivery side, the operation moved from banking-focused activity in 2025 to active abuse of compromised .gov.br websites and email accounts in 2026, giving attackers a trusted route to victims without confirming a new target vertical. On the technical side, the malware shifted from a browser-extension banker to a modular Inno/Node.js backdoor capable of executing JavaScript and pushing a variety of second-stage payloads.

That combination — trusted infrastructure to lower suspicion, modular payloads that can change after infection, and rotating C2 domains that negate static blocklists — creates a significant visibility gap, the report warns.

What this means for banks, public agencies, and security teams

  • Banks: Stolen credentials and persistent backdoor access can expose internal systems and financial operations to fraud and unauthorized access; a single trusted lure can seed later, more damaging payloads.
  • Public agencies: Municipal, public-security, and judicial portals are being weaponized as delivery infrastructure; agencies whose systems are used in the chain face reputational and operational risks even if they are not the final targets.
  • Security teams: ANY.RUN advises moving beyond static indicators. Behavioral analysis and continuous threat hunting are cited as more reliable coverage than static blocklists; teams should also give employees a safe way to report suspicious official-looking messages and investigate messages beyond their initial verdict.

The PhantomEnigma investigation underscores a simple, uncomfortable point: authentication checks and familiar domains can be weaponized. Catching the trusted lure early — before a patched Electron app loads a modular index.js backdoor — is the single hinge that can prevent credential theft, additional payload delivery, and a wider operational incident.

Read the full PhantomEnigma analysis, including IOCs, infrastructure findings, and detection guidance, at the original report: https://thehackernews.com/2026/07/20-hijacked-government-websites.html