Full Report
Cybersecurity researchers have shed light on a new campaign targeting Brazilian users since the start of 2025 to infect users with a malicious extension for Chromium-based web browsers and siphon user authentication data. "Some of the phishing emails were sent from the servers of compromised companies, increasing the chances of a successful attack," Positive Technologies security researcher
Analysis Summary
# Incident Report: Operation Phantom Enigma
## Executive Summary
Operation Phantom Enigma is a malicious campaign active since early 2025, primarily targeting Brazilian users but also impacting entities in several other countries, through phishing emails distributing malicious browser extensions. The primary goal is to steal user authentication data from bank accounts by injecting malicious JavaScript into supported browsers. Response actions included researchers tracking the activity and identifying the malicious payloads, which have since been removed from the Chrome Web Store.
## Incident Details
- **Discovery Date:** Early April 2025 (initial aspects disclosed) / June 08, 2025 (full report disclosed)
- **Incident Date:** Targeting active since the beginning of 2025
- **Affected Organization:** 70 unique victim companies identified; primary targets appear to be regular Brazilian users.
- **Sector:** Various sectors targeted via invoice lures; end goal focused on banking/financial access.
- **Geography:** Primary victims in Brazil; campaign activity observed in Brazil, Colombia, Czech Republic, Mexico, Russia, and Vietnam.
## Timeline of Events
### Initial Access
- **Date/Time:** Sometime beginning in 2025
- **Vector:** Phishing emails disguised as invoices.
- **Details:** Emails encouraged recipients to download a file from an embedded link or open a malicious attachment contained within an archive. Some phishing emails were sent from compromised company servers.
### Lateral Movement
- **Details:** Attackers established persistence using a batch script launched upon system reboot. Commands executed via a C2 channel allowed for remote management, including disabling User Account Control (UAC).
### Data Exfiltration/Impact
- **Details:** The primary impact is the theft of user authentication data from Chromium-based browsers (Chrome, Edge, Brave). The malicious extension executes targeted JavaScript code when the active tab is associated with Banco do Brasil, sending the user's authentication token to the attacker's server.
### Detection & Response
- **Details:** Detection was made by cybersecurity researchers (noted by [@johnk3r] and Positive Technologies tracking the campaign). Response involved disclosure of findings, analysis of the campaign structure, and confirmed removal of the malicious extensions from the Chrome Web Store.
## Attack Methodology (Based on observed components)
- **Initial Access:** Phishing emails delivering archives containing batch scripts or Windows Installer/Inno Setup files.
- **Persistence:** Configuring a batch script to launch automatically upon system reboot.
- **Privilege Escalation:** Disabling User Account Control (UAC) via PowerShell script.
- **Defense Evasion:** Running anti-VM checks in the PowerShell script.
- **Credential Access:** Modification of the `ExtensionInstallForcelist` policy to force installation of a malicious browser extension.
- **Discovery:** PowerShell script checking for the presence of Diebold Warsaw security software (common in Brazilian banking).
- **Lateral Movement:** Establishing a C2 connection to await and process remote commands (e.g., PING, START\_SCREEN).
- **Collection:** Malicious JavaScript running contextually to capture browser authentication tokens.
- **Exfiltration:** Sending captured tokens to the attacker's remote server.
- **Impact:** Theft of banking authentication credentials.
## Impact Assessment
- **Financial:** Undisclosed, though the goal is the theft of banking authentication data.
- **Data Breach:** User authentication tokens for banking websites.
- **Operational:** Potential deployment of Mesh Agent or PDQ Connect Agent as alternative payloads, suggesting remote access capability.
- **Reputational:** Damage to the trust associated with secure financial transactions for affected entities/users.
## Indicators of Compromise
- **Network indicators (Defanged):** C2 server communication initiated after successful script deployment.
- **File indicators:** Malicious Batch Scripts, PowerShell Scripts, Windows Installer files, Inno Setup files.
- **Behavioral indicators:** Modification of the `ExtensionInstallForcelist` registry policy; execution sequence involving batch script triggering PowerShell; execution of anti-VM sandbox checks.
## Response Actions
- **Containment measures:** Identification and disclosure of the malicious extension identifiers (nplfchpahihleeejpjmodggckakhglee, ckkjdiimhlanonhceggkfjlmjnenpmfm, and lkpiodmpjdhhhkdhdbnncigggodgdfli) leading to their removal.
- **Eradication steps:** Not explicitly detailed, but required removal of persistence mechanisms (batch script autostart) and the malicious extension.
- **Recovery actions:** Not detailed, but would include sweeping systems for persistence and requiring users to reset banking credentials.
## Lessons Learned
- Attackers are effectively leveraging invoice-related lures to distribute complex multi-stage payloads.
- The use of compromised company mail servers significantly increased the credibility and success rate of phishing attempts.
- The attackers integrated specific checks for local security software (e.g., Diebold Warsaw) common in Latin American financial transactions, indicating targeted development.
- Tactics blend established malware techniques (disabling UAC, persistence) with modern browser exploitation (policy manipulation).
## Recommendations
- Enhance security awareness training focusing specifically on spotting invoice-themed phishing, especially when links/attachments appear to originate from trusted partners.
- Implement strict application allow-listing and review policies related to browser extension installation, especially blocking installations via `ExtensionInstallForcelist` unless explicitly required and controlled by IT.
- Regularly audit system configurations for disabled security features like UAC.
- Utilize endpoint detection and response (EDR) solutions capable of detecting sophisticated multi-stage execution chains initiated by scripts.