Operation Phantom Enigma

Description

A malicious campaign targeting primarily Brazilian residents has been discovered, with attacks detected since early 2025. The attackers employed phishing emails, some sent from compromised company servers, to distribute malware. Two attack chains were identified: one using a malicious browser extension for Google Chrome, Microsoft Edge, and Brave, and another utilizing Mesh Agent or PDQ Connect Agent. The campaign aimed to steal authentication data from victims' bank accounts, particularly targeting Banco do Brasil customers. Over 700 downloads of the malicious extension were recorded, affecting users in Brazil, Colombia, Czech Republic, Mexico, Russia, Vietnam, and other countries. The attackers used sophisticated techniques, including virtualization checks, UAC bypass, and file deletion to evade detection.