PhantomEnigma rides Brazilian .gov.br sites and mailboxes
ANY.RUN links a Brazilian banking crimeware operation to 20+ hijacked .gov.br sites and mailboxes, using signature-valid mail and trusted redirects.
ANY.RUN’s PhantomEnigma investigation, summarised in reporting by The Hacker News on 16 July 2026, connects a Brazilian banking crimeware operation to more than 20 hijacked Brazilian government (.gov.br) websites and their mailboxes. The novelty is not the payload — the payload is a fairly ordinary modular Node.js backdoor. The novelty is that the delivery infrastructure carrying the phish, and the domains carrying the installer it points to, are the government’s own.
Mail that passes on the wire
The lure is a themed PDF (“Ofício Polícia Civil”, “Procuração Digital”) with a QR code in it. The email carrying that PDF is sent from a mailbox on a compromised .gov.br domain. Because the mailbox is real and the sending domain is authoritative, SPF, DKIM and DMARC all validate. There is no failure signal for a mail filter to trip on. From the receiving side, the message is what it looks like: mail from a Brazilian government address, cryptographically signed by that address’s real DKIM key.
The URL under the QR code either lives on another compromised .gov.br host — ANY.RUN names timon.ma.gov.br, loginam.sesp.es.gov.br, aplicacao.cbm.mt.gov.br, and prodoc.ap.gov.br among the more than 20 identified — or on a police-themed lookalike domain. From a victim’s point of view, they are scanning a QR code in a document from a state public-security site and being redirected to another Brazilian government subdomain to download an installer. That flow is the phish. The compromised sites are not doing anything besides serving a file; the trust the file borrows is inherited from the domain.
What runs after the installer
The dropper is an Inno Setup installer. What lands, according to ANY.RUN, is a modular backdoor delivered as JavaScript files patched into legitimate applications — the researchers highlight Boostnote, the Electron-based note-taking app, where a file called index.js sits inside the shipped application bundle and reads as part of the app’s own code. Loading the trojanised app loads the backdoor.
The backdoor itself is not clever. It:
- collects host and system information,
- creates a persistent machine ID and stores it locally,
- polls a C2 endpoint every 180 seconds for a command string,
- executes returned JavaScript via
eval(), - downloads and launches whatever the operator has queued next, and
- rotates through a list of C2 domains when one gets sinkholed.
None of that would matter much if it arrived on a Word document from a stranger. It matters because it arrived from a state government’s own DKIM key.
Why the evolution matters
The operation has been tracked by ANY.RUN since 2025 as a browser-extension banker aimed at Brazilian banks — the sort of thing a bank’s fraud team recognises within days and gets neutralised in the extension stores. The 2026 campaign migrates off the browser extension and onto the government’s own trust surface: legitimate mailboxes for the phish, legitimate government subdomains for the payload, and legitimate applications for the backdoor. The banker is no longer a browser extension; it is a JavaScript file inside an app that the user installed themselves after clicking mail with a valid DKIM signature.
Attribution is not in the report. ANY.RUN describes what the campaign does and the infrastructure it uses; it does not name an actor.
What to actually do
If you are a Brazilian public-sector operator: audit every SPF-authorized mail sender for your domain, every DKIM selector actively signing outbound mail, and every writable web root on public-facing sites. Compromised mailboxes are the operational asset here; if a mailbox belongs to a role or person who no longer needs it, close it. If a .gov.br host is serving files nobody in the department can account for, that is the campaign.
If you are a mail defender outside .gov.br: the standard signal that “SPF, DKIM and DMARC all pass” does not tell you a mailbox is uncompromised. It tells you the message came from the domain it claims. Content and behavioural inspection have to carry the rest — QR codes inside PDF attachments from external senders, in particular, are worth an outbound-block rule for internal users following the link.
The specific hosts, C2 domains, hashes and detection rules are in the ANY.RUN writeup. If the .gov.br trust chain is anywhere in your threat model, that is the reference to send the mail team.
Found this useful? Share it.


