PhantomEnigma trusted-delivery phishing campaign abusing Brazilian government websites
Campaign
Summary
Hide ▲
Show ▼
The PhantomEnigma campaign abused more than 20 Brazilian government websites and compromised email infrastructure to route malware through trusted .gov.br links, increasing the chance that banks and public agencies would engage with the lure. The operation used fake police-themed documents and authenticated messages that passed SPF, DKIM, and DMARC checks to look legitimate. It then funneled victims through a multi-stage delivery chain that ended in a modular Inno/Node.js backdoor capable of persistence and follow-on payload delivery. The trusted infrastructure and rotating delivery paths made the operation harder to spot and expanded its reach.
Related Happenings
Brazilian government websites hit by network compromise
Incident
H score28
First: 16.07.2026 14:58
Last: 16.07.2026 14:58
Sources 1
How related:
More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions.
About this happening:
More than 20 Brazilian government websites were hijacked and turned into malware delivery channels, exposing public-sector infrastructure to downstream abuse. The comp...
Brazilian government websites hit by network compromise
IncidentHow related: More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions.
About this happening: More than 20 Brazilian government websites were hijacked and turned into malware delivery channels, exposing public-sector infrastructure to downstream abuse. The comp...
Fake shipment tracking SMS phishing campaign
Campaign
H score35
First: 16.03.2026 16:45
Last: 16.03.2026 16:45
Sources 1
About this happening:
A global surge in fake shipment tracking phishing campaigns is stealing funds and credentials at scale, with activity rising from almost none in 2024 to over 100 cam...
Fake shipment tracking SMS phishing campaign
CampaignAbout this happening: A global surge in fake shipment tracking phishing campaigns is stealing funds and credentials at scale, with activity rising from almost none in 2024 to over 100 cam...
Timeline
-
16.07.2026 14:58 2 articles · 2h ago
ANY.RUN uncovers PhantomEnigma abusing Brazilian government websites
Initial DisclosureANY.RUN reported an active PhantomEnigma campaign in which more than 20 Brazilian government websites were hijacked and used as malware delivery channels against banks and public agencies. The operation relied on fake police-themed phishing documents, compromised mailboxes, trusted .gov.br redirects, and a modular index.js backdoor embedded in patched applications, enabling persistence, JavaScript execution, and follow-on payload delivery while obscuring the broader infrastructure relationships.
Show sources
- 20+ Hijacked Government Websites Became an Attack Channel — thehackernews.com — 16.07.2026 14:58
- 20+ Hijacked Government Websites Became an Attack Channel — thehackernews.com — 16.07.2026 14:58