Cybersecurity researchers have shed light on a new campaign targeting Brazilian users since the start of 2025 to infect users with a malicious extension for Chromium-based web browsers and siphon user authentication data.
“Some of the phishing emails were sent from the servers of compromised companies, increasing the chances of a successful attack,” Positive Technologies security researcher Klimentiy Galkin said in a report. “The attackers used a malicious extension for Google Chrome, Microsoft Edge, and Brave browsers, as well as Mesh Agent and PDQ Connect Agent.”
The Russian cybersecurity company, which is tracking the activity under the name Operation Phantom Enigma, said the malicious extension was downloaded 722 times from across Brazil, Colombia, the Czech Republic, Mexico, Russia, and Vietnam, among others. As many as 70 unique victim companies have been identified. Some aspects of the campaign were disclosed in early April by a researcher who goes by the alias @johnk3r on X.
The attack starts with phishing emails disguised as invoices that trigger a multi-stage process to deploy the browser extension. The messages encourage recipients to download a file from an embedded link or open a malicious attachment contained within an archive.
Present within the files is a batch script that’s responsible for downloading and launching a PowerShell script, which, in turn, performs a series of checks to determine if it’s running in a virtualized environment and the presence of a software named Diebold Warsaw.
Developed by GAS Tecnologia, Warsaw is a security plugin that’s used to secure banking and e-commerce transactions through the Internet and mobile devices in Brazil. It’s worth noting that Latin American banking trojans like Casbaneiro have incorporated similar features, as disclosed by ESET in October 2019.
The PowerShell script is also engineered to disable User Account Control (UAC), set up persistence by configuring the aforementioned batch script to be launched automatically upon system reboot, and establish a connection with a remote server to await further commands.
The list of supported commands is as follows –
- PING – Send a heartbeat message to the server by sending “PONG” in response
- DISCONNECT – Stop the current script process on the victim’s system
- REMOVEKL – Uninstall the script
- CHECAEXT – Check the Windows Registry for the presence of a malicious browser extension, sending OKEXT if it exists, or NOEXT, if the extension is not found
- START_SCREEN – Install the extension in the browser by modifying the ExtensionInstallForcelist policy, which specifies a list of apps and extensions that can be installed without user interaction
The detected extensions (identifiers nplfchpahihleeejpjmodggckakhglee, ckkjdiimhlanonhceggkfjlmjnenpmfm, and lkpiodmpjdhhhkdhdbnncigggodgdfli) have already been removed from the Chrome Web Store.
Other attack chains swap the initial batch script for Windows Installer and Inno Setup installer files that are utilized to deliver the extensions. The add-on, per Positive Technologies, is equipped to execute malicious JavaScript code when the active browser tab corresponds to a web page associated with Banco do Brasil.
Specifically, it sends the user’s authentication token and a request to the attackers’ server to receive commands to likely display a loading screen to the victim (WARTEN or SCHLIEBEN_WARTEN) or serve a malicious QR code on the bank’s web page (CODE_ZUM_LESEN). The presence of German words for the commands could either allude to the attacker’s location or that the source code was repurposed from somewhere else.
In what appears to be an effort to maximize the number of potential victims, the unknown operators have found to leverage invoice-related lures to distribute installer files and deploy remote access software such as MeshCentral Agent or PDQ Connect Agent instead of a malicious browser extension.
Positive Technologies said it also identified an open directory belonging to the attacker’s auxiliary scripts containing links with parameters that included the EnigmaCyberSecurity identifier (“<victim-domain>/about.php?key=EnigmaCyberSecurity”).
“The study highlights the use of rather unique techniques in Latin America, including a malicious browser extension and distribution via Windows Installer and Inno Setup installers,” Galkin said.
“Files in the attackers’ open directory indicate that infecting companies was necessary for discreetly distributing emails on their behalf. However, the main focus of the attacks remained on regular Brazilian users. The attackers’ goal is to steal authentication data from the victims’ bank accounts.”
