The Hacker News

Top story

20+ Hijacked Government Websites Became
an Attack Channel

More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions. The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign

Jul 16, 2026, 11:58 AMBy info@thehackernews.com (The Hacker News)3 min readpolitics
20+ Hijacked Government Websites Became
an Attack Channel

More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY. RUN , a leading provider of interactive malware analysis and threat intelligence solutions.

The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign putting banks and public agencies at risk.

For the complete technical analysis, infrastructure details, indicators, and detection guidance, read the full PhantomEnigma investigation report The attack began with fake police-themed documents presented as official “Ofício Polícia Civil” or “Procuração Digital” notices.

Some contained QR codes, while others directed recipients to links designed to look like legitimate government resources. In several cases, the emails were sent through compromised mailboxes and passed SPF, DKIM, and DMARC checks.

That gave the messages a stronger appearance of legitimacy than ordinary spoofed phishing emails. Victims were then redirected through compromised . gov. br hosts or police-themed lookalike domains before reaching the malicious installer.

The government systems were used as trusted delivery infrastructure, not necessarily as the final targets of the campaign. Among the compromised systems observed during the investigation were [.] br, [.] br (state public security), [.] br (fire department), [.] br, and others.

The timeline shows one operation evolving along two main paths: Delivery: PhantomEnigma moved from banking-focused activity in 2025 to abusing compromised . gov. br websites and email accounts in 2026. This gave the campaign a more trusted route to victims without confirming a new target group.

Arsenal: The malware evolved from a browser-extension banker into a modular Inno/Node. js backdoor capable of executing JavaScript and delivering additional payloads. For security teams, this combination creates a serious visibility gap.

Trusted infrastructure reduces suspicion, modular payloads can change after infection, and rotating C2 domains quickly make static blocklists outdated. Behavioral analysis and continuous threat hunting provide more reliable coverage as the campaign evolves.

Once a victim engaged with the lure, the campaign moved through a multi-stage infection chain: The sandbox sessions exposed more than a simple downloader. Hidden inside a patched Boostnote and other applications was a modular index.

js backdoor built to identify infected machines, maintain access, and deliver different payloads on demand. Once activated, the backdoor could: This modular design allows the operator to change the final payload without rebuilding the entire infection chain.

A system initially exposed to the same installer could later receive a stealer, loader, remote management tool, or another executable, making both detection and containment more difficult. PhantomEnigma shows how attackers can turn trusted infrastructure into a detection advantage.

A legitimate government domain, authenticated email, or clean file verdict may lower suspicion even when the infection chain is already active. For banks and public-sector organizations, the risk extends beyond one compromised endpoint.

Stolen credentials and persistent backdoor access can expose internal systems, sensitive data, and financial operations, while fragmented alerts delay containment. Security teams should give employees a safe way to report suspicious official-looking messages and investigate them beyond the initial verdict.

Catching the trusted lure early can prevent credential theft, additional payload delivery, and a wider operational incident. Get PhantomEnigma IOCs, infrastructure findings, and detection guidance to strengthen threat hunting and response.

Learn how to secure AI agents with practical controls for access, visibility, secrets, and risk containment. Learn how to govern risk, secure AI-built software, and keep control as development moves at machine speed.

Continue with the publisher

Read the original source after the immersive in-app article experience.

Read on source site
Loading...