{"id":22131,"date":"2026-07-16T08:51:30","date_gmt":"2026-07-16T08:51:30","guid":{"rendered":"https:\/\/any.run\/cybersecurity-blog\/?p=22131"},"modified":"2026-07-16T11:57:58","modified_gmt":"2026-07-16T11:57:58","slug":"phantomenigma-research","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/","title":{"rendered":"Hidden Infrastructure Exposed:\u00a0ANY.RUN Reveals Hijacked Gov Websites Delivering Malware\u00a0"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><em>An&nbsp;original&nbsp;threat&nbsp;intelligence investigation&nbsp;uncovering how trusted government infrastructure became&nbsp;an&nbsp;attack channel, placing banking organizations&nbsp;and public-sector systems at risk while revealing previously undocumented infrastructure relationships&nbsp;and actionable mitigation guidance for security leaders.<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> analysts have uncovered an active PhantomEnigma campaign abusing compromised government infrastructure and fake police-themed documents to target banking and public-sector organizations in Brazil. Trusted emails and legitimate .gov.br links are helping the operation stay hidden.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By linking hundreds of&nbsp;seemingly unrelated&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox&nbsp;analyses<\/a>, the team exposed a coordinated operation that can&nbsp;delay containment, increase investigation costs,&nbsp;and raise the risk of fraud, data exposure,&nbsp;and operational disruption.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>PhantomEnigma&nbsp;uses compromised Brazilian&nbsp;government systems for delivery:&nbsp;<\/strong>At least&nbsp;20 .gov.br municipal&nbsp;and police portals were used to distribute malware, while compromised mailboxes allowed phishing emails to pass SPF, DKIM,&nbsp;and DMARC checks. These government systems are part of the delivery chain, not confirmed campaign targets.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN<\/strong><\/a><strong> analysts uncovered a previously undocumented backdoor generation:<\/strong> A fresh <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox detonation<\/a> on July 12, 2026, confirmed the behavior in a live environment, showing that PhantomEnigma operates at least two beacon generations.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The Of\u00edcio-PC quishing activity is linked to the same operator:<\/strong> The fake Pol\u00edcia Civil QR-code PDF and ClickFix campaign included 99 sandbox analyses. At least four compromised government hosts delivered both Of\u00edcio-PC content and PhantomEnigma installers, supporting the assessment that it is another arm of the same operation.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ANY.RUN exposed hidden infrastructure links, while the campaign\u2019s code proved to be its most durable fingerprint:<\/strong> A recurring Delphi\/Inno Setup and Node.js\/Electron build chain identified 231 sandbox analyses even as domains, IP addresses, and delivery hosts changed.<\/li>\n<\/ul>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/cover-4.png\" alt=\"PhantomEnigma Threat Report from ANY.RUN\" class=\"cta__split-icon\">\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>PhantomEnigma Threat Report<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nDiscover how one operation abused trusted infrastructure to evade detection:\n <\/p><ul>\n    <li><strong>20+ government websites<\/strong> hijacked<\/li>\n    <li><strong>Banking and public-sector<\/strong> organizations targeted<\/li>\n    <li><strong>Live <\/strong>  backdoor activity still evading detection<\/li>\n  <\/ul>\n<br>\n\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/files.any.run\/images\/phantomEnigma_threat_intel_report_anyrun.pdf\"><div class=\"cta__split-link\">Get FREE report<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">PhantomEnigma&nbsp;Threat&nbsp;Profile&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The profile below summarizes&nbsp;PhantomEnigma\u2019s&nbsp;targeting, capabilities, scale,&nbsp;and potential business impact. It also shows why the operation is difficult to detect: it combines modular malware,&nbsp;frequently rotated infrastructure,&nbsp;and compromised government systems that make malicious activity appear legitimate.&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-347\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"12\"\n           data-wpID=\"347\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-bc-EEF6FF\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Parameter\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-bc-EEF6FF\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Value\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Threat\u00a0type\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Modular Node.js backdoor delivered by a Delphi\/Inno Setup installer; multi-arm crimeware operation\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Family \/ cluster\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        PhantomEnigma, also known as Operation Phantom Enigma\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Actor \/ targeting\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Brazil-focused activity targeting banking organizations, including Banco do\u00a0Brasil, with\u00a0compromised .gov.br infrastructure later used for delivery\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Severity\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        High: active malware delivery, banking credential theft,\u00a0and compromised government infrastructure\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Business risk\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Financial loss, sensitive data exposure, operational disruption, regulatory\u00a0and reputational damage,\u00a0and higher investigation\u00a0and recovery costs\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Sophistication\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Capable: patched Electron decoy, self-deobfuscating\u00a0index.js, modular eval\/exec backdoor,\u00a0and compromised infrastructure that allows SPF, DKIM,\u00a0and DMARC checks to pass\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prevalence\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        231\u00a0sandbox\u00a0analyses from January to July 2026. Activity\u00a0remains ongoing, with peaks in March (58)\u00a0and May (66),\u00a0and 27\u00a0analyses in July\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        First \/ last seen in the\u00a0ANY.RUN dataset\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        January 15, 2026\u2013July 10, 2026\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Overall confidence\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        High confidence that the campaign is real, documented,\u00a0and focused on Brazil; medium-high confidence that the specific Inno\/Node.js arm belongs to\u00a0PhantomEnigma\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Attribution basis\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Build-chain\u00a0analysis\u00a0and vendor corroboration, including PT-ESC research, abuse.ch\u00a0ThreatFox,\u00a0and exact seed IOCs\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Snapshot\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Core data updated July 11, 2026; deep\u00a0analysis\u00a0and live re-detonation completed July 12;\u00a0Of\u00edcio\u00a0delivery-arm\u00a0analysis updated July 13\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-347'>\ntable#wpdtSimpleTable-347{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-347 td, table.wpdtSimpleTable347 th { white-space: normal !important; }\n.wpdt-bc-EEF6FF { background-color: #EEF6FF !important;}\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">One Campaign, Multiple Attack Arms&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The activity&nbsp;first appeared to be&nbsp;two separate waves:&nbsp;Of\u00edcio-PC PDF attacks from January to April, followed by a Node.js\/Inno campaign from May. However, the data shows both were active in parallel.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The PDF arm peaked in February, while the Node.js\/Inno backdoor remained active from January through July, with peaks in March and May. This suggests PhantomEnigma is one coordinated operation using several attack arms, shared compromised government infrastructure, and rotating C2 systems.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How&nbsp;PhantomEnigma&nbsp;Became Harder to Detect: Timeline&nbsp;and Evolution&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The timeline shows&nbsp;PhantomEnigma&nbsp;as one continuous operation. Gen A covers the extension-banker activity documented in public research in 2025. Gen B covers the 2026 activity&nbsp;observed&nbsp;directly in&nbsp;ANY.RUN, including the PDF delivery arm&nbsp;and the Node.js\/Inno backdoor cluster. Although these were initially treated as separate phases, the data shows that they&nbsp;operated&nbsp;in parallel during the first half of 2026.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/timeline-1024x576.png\" alt=\"\" class=\"wp-image-22132\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/timeline-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/timeline-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/timeline-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/timeline-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/timeline-2048x1152.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/timeline-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/timeline-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/timeline-740x416.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Timeline of PhantomEnigma&#8217;s malicious activity<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The campaign evolved along two main paths:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Target:<\/strong> In 2025, the activity focused on banking targets, including Banco do Brasil. By 2026, the operator was using compromised Brazilian public-sector email and hosting infrastructure. This reflects a change in delivery rather than a confirmed new victim group. Legitimate .gov.br systems gave the attackers a more trusted route to victims and helped malicious emails pass standard authentication checks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Arsenal:<\/strong> The malware evolved from a browser-extension banker into a modular Inno\/Node.js backdoor built around a patched Boostnote application. The download script became simpler, the decoy looked more legitimate, and the backdoor gained the ability to execute JavaScript or deliver additional files. Multiple beacon generations also remained active at the same time, using both GET and POST requests.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For security teams, these changes increase the risk of delayed detection&nbsp;and incomplete containment. Trusted infrastructure can&nbsp;reduce suspicion, modular payloads can&nbsp;change after the&nbsp;initial&nbsp;infection,&nbsp;and weekly C2 rotation can&nbsp;quickly make static blocklists outdated.&nbsp;Behavior-based detection,&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox&nbsp;analysis<\/a>,&nbsp;and continuous&nbsp;threat&nbsp;hunting are therefore more reliable than&nbsp;individual domains, hashes, or automated verdicts alone.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">PhantomEnigma&nbsp;Targeting: What the Data Really Shows&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Submitter data can&nbsp;indicate&nbsp;where activity is being&nbsp;observed, but it does not confirm individual victims. The figures may be affected by MSSP resubmissions, automated feeds,&nbsp;and the&nbsp;ANY.RUN&nbsp;user base.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Key findings include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Brazil is the strongest targeting signal:&nbsp;<\/strong>It&nbsp;represents&nbsp;60.3% of&nbsp;the .gov.br delivery cluster&nbsp;and 46% of the operator C2 cohort.&nbsp;<\/li>\n\n\n\n<li><strong>Banking&nbsp;and MSSPs show the highest exposure:<\/strong>&nbsp;This aligns with public research documenting attacks against Banco do&nbsp;Brasil.&nbsp;<\/li>\n\n\n\n<li><strong>The&nbsp;apparent&nbsp;US concentration is misleading:&nbsp;<\/strong>Of the 77 US submissions, 66 came from one US telecommunications source&nbsp;and should not be treated as separate victims.&nbsp;<\/li>\n\n\n\n<li><strong>Adjacent clusters show different targeting patterns:<\/strong>&nbsp;The&nbsp;Eoto&nbsp;ClickFix&nbsp;and GitHub-to-StealC&nbsp;activity is not concentrated in Brazil, supporting its classification as separate operations.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How&nbsp;PhantomEnigma&nbsp;Turns Detection Gaps into Business Risk&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">PhantomEnigma\u2019s use of trusted government infrastructure, clean-looking samples, and rotating C2 domains can delay investigation and give the operation more time to spread inside an organization.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;main business&nbsp;risks include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Financial loss:<\/strong>&nbsp;Compromised banking, email, or system credentials can&nbsp;enable fraud&nbsp;and unauthorized transactions.&nbsp;<\/li>\n\n\n\n<li><strong>Delayed containment:<\/strong>&nbsp;Clean&nbsp;verdicts&nbsp;and fragmented alerts can&nbsp;hide the fact that several incidents belong to one coordinated operation.&nbsp;<\/li>\n\n\n\n<li><strong>Sensitive data exposure:<\/strong>&nbsp;The modular backdoor can&nbsp;collect system information, execute commands,&nbsp;and deliver&nbsp;additional&nbsp;payloads.&nbsp;<\/li>\n\n\n\n<li><strong>Operational disruption:<\/strong>&nbsp;A successful compromise can&nbsp;affect employee access, critical systems,&nbsp;and daily business operations.&nbsp;<\/li>\n\n\n\n<li><strong>Higher response costs:<\/strong>&nbsp;Repeated&nbsp;analysis, longer investigations,&nbsp;and late containment increase SOC workload&nbsp;and recovery expenses.&nbsp;<\/li>\n\n\n\n<li><strong>Regulatory&nbsp;and reputational damage:<\/strong>&nbsp;Delayed detection&nbsp;and data exposure can&nbsp;affect compliance obligations, customer trust,&nbsp;and partner confidence.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">For security leaders, the priority is to shorten the time between the first suspicious signal&nbsp;and confirmed compromise. This requires connecting&nbsp;behavior&nbsp;across files, infrastructure,&nbsp;and&nbsp;sandbox&nbsp;analyses instead of relying only on individual hashes, domains, or automated verdicts.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Expose hidden links before clean\u00a0verdicts delay containment.<\/span><br>\nReduce investigation\u00a0and recovery costs with\u00a0ANY.RUN.\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=phantomenigma-research&#038;utm_term=160726&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nLower Incident Costs\u00a0 <\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Execution Chain: How the&nbsp;PhantomEnigma&nbsp;Attack Unfolds&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">After&nbsp;analyzing the phishing email inside&nbsp;ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive&nbsp;Sandbox<\/a>, we revealed the following attack chain:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Initial delivery<\/strong>&nbsp;<br>The victim receives a spoofed Pol\u00edcia Civil or \u201cProcura\u00e7\u00e3o&nbsp;Digital\u201d notary email&nbsp;and follows a link to a compromised government host or a police-themed&nbsp;typosquat&nbsp;.com domain.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-16-at-10.48.34-1024x579.png\" alt=\"\" class=\"wp-image-22179\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-16-at-10.48.34-1024x579.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-16-at-10.48.34-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-16-at-10.48.34-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-16-at-10.48.34-1536x869.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-16-at-10.48.34-2048x1158.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-16-at-10.48.34-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-16-at-10.48.34-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-16-at-10.48.34-740x418.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing email analyzed inside ANY.RUN sandbox<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\"><strong>Installer execution<\/strong><br>The host serves a Delphi-compiled Inno Setup installer, such as Procuracao_Digital.exe. Once executed, it silently unpacks a patched Electron\/Boostnote or another JavaScript-based application.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Backdoor activation<\/strong><br>In the observed Boostnote version, the legitimate BoostIO note-taking application contains a malicious index.js file. The Electron host loads this script, which self-deobfuscates, sends victim system information to the C2 server, performs reconnaissance through child_process, creates persistence through a Run key, and enters its taskExecute loop.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Second-stage delivery<\/strong><br>The server can return JavaScript for in-process execution through eval() or send an executable to be dropped and launched as a child process. This modular second stage is where the final payload, such as a stealer, loader, or remote management tool, is delivered.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Indicators That Survive Lure Changes&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Several artifacts&nbsp;remain&nbsp;visible even as file names&nbsp;and lures change:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The dropped Electron host appears as App.exe under is-*.tmp\\&lt;Name&gt;Application\\, including names such as DistroniceApplication and SmartSuiteifyUltraWare.<\/li>\n\n\n\n<li>The decoy binary is a patched Boost Note.exe, later renamed Grape.exe to avoid the known decoy string. Installation directories use random word combinations such as UltraSuiteSmartCoreware and ProSoftxUltraToolator.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Inside the Backdoor: Static&nbsp;Deobfuscation&nbsp;and Live Re-Detonation&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This investigation revealed backdoor behavior that we found was not documented in previous public research. To validate it, <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> analysts completed two controlled steps: extracting and deobfuscating the dropped index.js file, then re-detonating the original installer to confirm the behavior in a live sandbox environment.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">First,&nbsp;analysts recovered the real resources\\app\\index.js file, measuring 239,459 bytes, from the&nbsp;anchor session\u2019s full JSON report. The file was extracted with 7-Zip&nbsp;and&nbsp;deobfuscated&nbsp;in Python without being executed&nbsp;through Node.js or&nbsp;eval().&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The analysis reversed two layers of obfuscation. The Boostnote wrapper used an obfuscator.io string array with a custom lowercase-first Base64 alphabet, while the malicious strings were stored as character-code arrays and decoded through String.fromCharCode(&#8230;).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This build also differed from the generation described in earlier public research. It did not&nbsp;contain&nbsp;the 1874371588 XOR scheme or the&nbsp;laravel&nbsp;string,&nbsp;indicating&nbsp;a simpler but distinct version of the backdoor.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;deobfuscated&nbsp;logic showed that the malware:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sends system information to the \/nbw\/ endpoint&nbsp;<\/li>\n\n\n\n<li>Creates a persistent eight-character machine ID in %APPDATA%&nbsp;<\/li>\n\n\n\n<li>Reads&nbsp;an&nbsp;affiliate or campaign tag stored beside the installer&nbsp;<\/li>\n\n\n\n<li>Checks for new commands every 180 seconds&nbsp;<\/li>\n\n\n\n<li>Executes JavaScript directly&nbsp;through&nbsp;eval()&nbsp;<\/li>\n\n\n\n<li>Drops&nbsp;and runs executable files&nbsp;<\/li>\n\n\n\n<li>Establishes persistence&nbsp;through&nbsp;setLoginItemSettings&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;deobfuscated&nbsp;backdoor, shown in simplified pseudocode:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"515\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.40.30-1024x515.png\" alt=\"\" class=\"wp-image-22137\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.40.30-1024x515.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.40.30-300x151.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.40.30-768x386.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.40.30-1536x772.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.40.30-370x186.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.40.30-270x136.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.40.30-740x372.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.40.30.png 1766w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">A New Beacon Generation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The recovered sample sends a POST request to \/nbw\/ with a JSON body containing the machine ID, computer name, username, and campaign tag.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This differs from the previously documented GET request:&nbsp;<\/p>\n\n\n\n<p class=\"has-background wp-block-paragraph\" style=\"background-color:#eef6ff\">\/laravel.php?api=api&amp;hash=&lt;b64&gt;&amp;message=PT1n&lt;b64&gt;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The evidence therefore&nbsp;indicates&nbsp;that&nbsp;PhantomEnigma&nbsp;operates at least two beacon generations. Despite the different communication formats, both share the same Delphi\/Inno&nbsp;and patched&nbsp;Boostnote&nbsp;build chain, modular JavaScript or executable payload delivery,&nbsp;and login persistence.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"422\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image3-1024x422.png\" alt=\"\" class=\"wp-image-22139\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image3-1024x422.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image3-300x124.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image3-768x317.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image3-1536x633.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image3-2048x845.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image3-370x153.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image3-270x111.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image3-740x305.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>customRequest function used to send the victim\u2019s computer data<\/em>&nbsp;<\/figcaption><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"889\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image4-1024x889.png\" alt=\"\" class=\"wp-image-22140\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image4-1024x889.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image4-300x260.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image4-768x666.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image4-1536x1333.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image4-370x321.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image4-270x234.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image4-740x642.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image4.png 1830w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>taskExecute&nbsp;function code<\/em>&nbsp;<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">A fresh detonation on July 12, 2026, confirmed the behavior in a live environment. The sample resolved&nbsp;and sent a POST request to:&nbsp;<strong>hxxps:\/\/zsxocjarsate[.]com\/nbw\/<\/strong>&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This confirmed that the deobfuscated \/nbw\/ path was actively used and identified zsxocjarsate[.]com as a live C2 domain. The analysis also recovered the dropped index.js hash:<strong> 71f69978667dc421e7edf8885e9f3bde9dd527d9f7974228c9a6eac84c2ab71c<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The static code&nbsp;analysis&nbsp;and&nbsp;ANY.RUN\u2019s&nbsp;live&nbsp;sandbox&nbsp;behavior produced matching results.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why Build-Chain Evidence Outlasts Rotating Infrastructure&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Known C2 domains help connect related activity, but they are not reliable enough to serve as the main detection key. The largest seed domain,\u00a0policiacivilmg[.]com, appears in only 34 of the 231 core\u00a0sandbox analysis sessions, or 15% of the cluster. The previously cited figure of 55 refers to index-wide DNS activity, not sessions within the core cluster.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The full ten-domain seed set covers only 77 of the 231 sessions, or 33%. Two-thirds of the cluster never contacted&nbsp;any&nbsp;known C2 domain. Instead, those sessions used&nbsp;compromised .gov.br hosts or infrastructure that had already rotated out of view.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To find a more stable signal, ANY.RUN analysts used <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> together with YARA and static detection tags to search across the samples\u2019 build characteristics.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Individually, the tags are common across the dataset:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nodejs: 2,496&nbsp;sandbox&nbsp;sessions&nbsp;<\/li>\n\n\n\n<li>inno: 10,719&nbsp;sandbox&nbsp;sessions&nbsp;<\/li>\n\n\n\n<li>delphi: 17,233&nbsp;sandbox&nbsp;sessions&nbsp;<\/li>\n\n\n\n<li>installer: 11,567\u00a0sandbox\u00a0sessions\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The combination reflects the recurring build chain: a Delphi-compiled Inno Setup installer carrying an embedded Node.js or Electron application. The Combined, however, the four tags identify exactly 231 sessions. The nodejs and inno combination alone also returns all 231, providing full recall across the cluster.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;three tags come from&nbsp;ANY.RUN&nbsp;YARA&nbsp;and static detections applied to the sample bytes, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Compiled with Borland Delphi&nbsp;<\/li>\n\n\n\n<li>Detects&nbsp;InnoSetup&nbsp;installer&nbsp;<\/li>\n\n\n\n<li>Node.js compiler detected&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This means&nbsp;analysts can&nbsp;identify&nbsp;the malware by its build characteristics even as the operator changes C2 domains, IP addresses,&nbsp;and compromised delivery hosts.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Use the following <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a> query to find related activity involving compromised Brazilian&nbsp;government infrastructure:&nbsp;<\/p>\n\n\n\n<p class=\"has-background wp-block-paragraph\" style=\"background-color:#eef6ff\">TI Lookup query:&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22domainName:%5C%22.gov.br%5C%22%20AND%20threatName:%5C%22nodejs%5C%22%20AND%20threatName:%5C%22inno*%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;.gov.br&#8221;&nbsp;AND&nbsp;threatName:&#8221;nodejs&#8221;&nbsp;AND&nbsp;threatName:&#8221;inno*&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"622\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-1-1024x622.png\" alt=\"\" class=\"wp-image-22141\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-1-1024x622.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-1-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-1-768x467.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-1-1536x933.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-1-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-1-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-1-740x449.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-1.png 1750w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup&nbsp;showcasing&nbsp;all the relevant&nbsp;sandbox&nbsp;sessions<\/em>&nbsp;<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The initial ANY.RUN\u2019s <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> query provided a broader starting point for identifying related sandbox sessions. Analysts could then combine the build-chain tags with stronger campaign indicators, such as known C2 infrastructure, compromised .gov.br hosts, beacon IP addresses, and the \/laravel.php or \/nbw\/ communication patterns.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Connect related&nbsp;threat&nbsp;activity before it becomes an incident.&nbsp;<\/span><br>\nGive your SOC the context to investigate&nbsp;and respond faster.\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nAccelerate&nbsp;Threat&nbsp;Hunting&nbsp;&nbsp; <\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Attribution with Broader Detection Coverage&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;analysts&nbsp;identified&nbsp;231&nbsp;sandbox&nbsp;analyses that share the same distinctive build chain. This wider cluster gives defenders a strong basis for&nbsp;threat&nbsp;hunting, even when domains, IP addresses,&nbsp;and&nbsp;delivery&nbsp;infrastructure change.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Within that cluster, approximately 108\u2013125 analyses also contain stronger PhantomEnigma indicators, including known C2 infrastructure, compromised .gov.br hosts, beacon IPs, and the \/laravel.php or \/nbw\/ communication patterns.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This gives defenders two useful levels of visibility: a wider cluster for threat hunting and a more tightly attributed core for higher-confidence investigation and response. It also allows the campaign to be tracked broadly without overstating which samples can be linked directly to PhantomEnigma.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How&nbsp;PhantomEnigma&nbsp;Rotates Its Infrastructure&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">PhantomEnigma&nbsp;uses several separate infrastructure layers for delivery, command-and-control communication,&nbsp;and data exfiltration. This structure helps the operation rotate domains&nbsp;and compromised hosts without changing its underlying malware.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The main infrastructure includes:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Delivery domains:<\/strong> Cloudflare-fronted .com domains, including randomly generated names and Pol\u00edcia Civil lookalikes such as policiacivilmg[.]com, pccvill[.]com, and zsxocjarsate[.]com.<\/li>\n\n\n\n<li><strong>Origin infrastructure:<\/strong>&nbsp;DNS records linked some delivery domains to&nbsp;likely origin&nbsp;servers behind the Cloudflare proxy.&nbsp;<\/li>\n\n\n\n<li><strong>Beacon infrastructure:<\/strong>&nbsp;Separate IP addresses&nbsp;hosted&nbsp;the \/laravel.php&nbsp;system-information endpoint&nbsp;and other backdoor communications.&nbsp;<\/li>\n\n\n\n<li><strong>Compromised delivery hosts:<\/strong>&nbsp;At least 20 legitimate Brazilian&nbsp;government portals were used to distribute malicious files or redirect victims.&nbsp;These include marapoama.sp.gov[.]br, poa.sp.gov[.]br,&nbsp;and areal.rj.gov[.]br, as well as newly observed hosts including timon.ma.gov[.]br, loginam.sesp.es.gov[.]br&nbsp;(state public security), aplicacao.cbm.mt.gov[.]br&nbsp;(fire department), prodoc.ap.gov[.]br,&nbsp;and others.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The compromised government systems appear to be independently affected legitimate websites rather than infrastructure owned by the operator. Their use gives the campaign a trusted delivery channel while making malicious activity harder to separate from normal traffic.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The infrastructure also rotates regularly.&nbsp;In several observed cases, the compromised delivery host&nbsp;and associated C2 domain changed together over a period of weeks.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For defenders, this means blocking a single domain or IP address may provide only temporary protection. Monitoring recurring build characteristics, backdoor communication patterns,&nbsp;and newly compromised delivery infrastructure provides more durable coverage as the campaign evolves.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Observed&nbsp;PhantomEnigma&nbsp;C2 Infrastructure&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The table below shows representative domains linked to the campaign&nbsp;and illustrates how&nbsp;PhantomEnigma&nbsp;combines police-themed lookalikes with randomly generated domain names.&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-348\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"9\"\n           data-wpID=\"348\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bc-FFFFFF wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Domain\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-FFFFFF wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Role or naming pattern\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-FFFFFF wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Observed status\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        policiacivilmg[.]com\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Pol\u00edcia Civil MG lookalike\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        No longer active at the time of review\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        pccvill[.]com\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Police-themed lookalike\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        No longer active at the time of review\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        pccvioo[.]com\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Police-themed lookalike\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        No longer active at the time of review\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        dahieenloo[.]com\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Randomly generated domain\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Recently observed\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        psznaoehteeh[.]com\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Randomly generated domain\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Active in recent activity\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        taaeiuep[.]com\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Domain linked to Inno Setup\u00a0and\u00a0Procura\u00e7\u00e3o\u00a0Digital activity\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        No longer active at the time of review\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        eeresofeuae[.]com\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Randomly generated domain\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Recently observed\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        zsxocjarsate[.]com\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Live \/nbw\/ backdoor endpoint confirmed during re-detonation\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Confirmed active on July 12, 2026\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-348'>\ntable#wpdtSimpleTable-348{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-348 td, table.wpdtSimpleTable348 th { white-space: normal !important; }\n.wpdt-bc-FFFFFF { background-color: #FFFFFF !important;}\n<\/style>\n\n\n\n\n<p class=\"wp-block-paragraph\">The changing domain set reinforces why defenders should not rely on a single IOC or static blocklist. Detection should also cover the recurring build chain&nbsp;and backdoor communication patterns.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The&nbsp;Of\u00edcio-PC Phishing&nbsp;and Delivery Operation&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"580\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.57.18-1024x580.png\" alt=\"\" class=\"wp-image-22143\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.57.18-1024x580.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.57.18-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.57.18-768x435.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.57.18-1536x870.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.57.18-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.57.18-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.57.18-740x419.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-20.57.18.png 1936w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Of\u00edcio-PC phishing<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">During the investigation, ANY.RUN analysts examined what initially appeared to be a separate Brazil-focused phishing operation. The campaign used fake <strong>\u201cOf\u00edcio\u201d<\/strong> and <strong>\u201cIntima\u00e7\u00e3o Pol\u00edcia Civil\u201d<\/strong> PDF documents designed to look like official law-enforcement communications.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The files followed a consistent naming pattern, including examples such as DOC_&lt;CNPJ&gt;.pdf,&nbsp;and some&nbsp;contained&nbsp;the EXIF title&nbsp;<strong>\u201cOf\u00edcio&nbsp;Pol\u00edcia Civil.\u201d<\/strong>&nbsp;Victims were encouraged to scan&nbsp;a QR code embedded in the document, which redirected them&nbsp;through a bare-IP PHP cloaking service.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The cloaker classified visitors as either \u201cReal\u201d or \u201cFake\u201d and redirected selected users to a fraudulent <strong>\u201cVerifica\u00e7\u00e3o de Acesso\u201d<\/strong> page. This page used a ClickFix-style prompt that instructed the victim to run a PowerShell command. The command downloaded oficioprotocolo.tng and executed it through iex, allowing the attack to continue beyond the initial PDF lure.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN&nbsp;analysts&nbsp;identified&nbsp;<strong>99&nbsp;sandbox&nbsp;analyses<\/strong>&nbsp;associated with this delivery arm, with a more tightly defined core of 95.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"845\" height=\"1024\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-05.55.34-845x1024.png\" alt=\"\" class=\"wp-image-22144\" style=\"aspect-ratio:0.8251980106833671;width:550px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-05.55.34-845x1024.png 845w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-05.55.34-247x300.png 247w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-05.55.34-768x931.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-05.55.34-370x449.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-05.55.34-270x327.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-05.55.34-740x897.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-05.55.34.png 1084w\" sizes=\"auto, (max-width: 845px) 100vw, 845px\" \/><figcaption class=\"wp-element-caption\"><em>Malicious PDF file&nbsp;analyzed&nbsp;inside&nbsp;ANY.RUN&nbsp;sandbox<\/em>&nbsp;<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The activity was\u00a0observed\u00a0between January\u00a0and April 2026\u00a0and peaked in February, when 75 related\u00a0analyses were recorded. No\u00a0new activity\u00a0appeared in the dataset after April 23, 2026. However, the backend IP 195.177.94[.]103 remained active as of July 10, 2026, suggesting that parts of the infrastructure were still operational even after the observed delivery activity declined.\u00a0<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">See the full attack path behind suspicious files\u00a0and links.<\/span><br>\nGive your SOC the evidence to investigate faster.\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nGain Full\u00a0Behavior\u00a0Visibility <\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">From&nbsp;ClickFix&nbsp;to Cobalt Strike&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The final activity visible inside the&nbsp;sandbox&nbsp;led to the&nbsp;Zabbxsoftware&nbsp;<strong>\u201cZab agent\u201d<\/strong>&nbsp;kit. This infrastructure used operator-created paths such as:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/zab\/agent\/send&nbsp;<\/li>\n\n\n\n<li>\/api\/request\/&lt;uuid&gt;\/status&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The kit first communicated with&nbsp;logs.zabbxsoftware[.]com&nbsp;and later rotated to&nbsp;oauth.openvpnet[.]com. The delivery chain&nbsp;ultimately led&nbsp;to a&nbsp;Shellter-packed Cobalt Strike payload.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A loader named&nbsp;oficio&lt;digits&gt;PCAP.exe, with SHA-256 beginning 7de52b73\u2026, appeared in eight&nbsp;sandbox&nbsp;analyses&nbsp;and received a clean&nbsp;verdict. External malware repositories&nbsp;and vendors also&nbsp;identified&nbsp;the file as associated with Cobalt Strike&nbsp;and&nbsp;Shellter.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Why We Link This Activity to&nbsp;PhantomEnigma&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The strongest connection is the use of the same compromised government infrastructure.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At least four&nbsp;legitimate .gov.br&nbsp;and .jus.br hosts were used by both the&nbsp;Of\u00edcio-PC phishing arm&nbsp;and the&nbsp;PhantomEnigma&nbsp;Inno\/Node.js installer activity.&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-349\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"5\"\n           data-wpID=\"349\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-bc-FFFFFF\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Compromised government host\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-bc-FFFFFF\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        PhantomEnigma\u00a0installer\u00a0analyses\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-bc-FFFFFF\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Of\u00edcio-PC\u00a0sandboxanalyses\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        timon.ma.gov[.]br\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        11\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        protocolo.sorocaba.sp.gov[.]br\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        14\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        prodoc.ap.gov[.]br\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        17\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        portaldrh.tjba.jus[.]br\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        17\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-349'>\ntable#wpdtSimpleTable-349{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-349 td, table.wpdtSimpleTable349 th { white-space: normal !important; }\n.wpdt-bc-FFFFFF { background-color: #FFFFFF !important;}\n<\/style>\n\n\n\n\n<p class=\"wp-block-paragraph\">The two arms also use the same Pol\u00edcia Civil theme&nbsp;and rely on compromised public-sector infrastructure to make their delivery activity appear more trustworthy.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;Of\u00edcio-PC&nbsp;analyses&nbsp;generally stop&nbsp;at the PowerShell download stage, before the Node.js\/Inno installer becomes visible. For that reason, the absence of Node.js&nbsp;and Inno Setup tags in these&nbsp;analyses does not&nbsp;indicate&nbsp;a separate operator. It reflects the stage at which the observed execution ended.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A build-chain comparison alone is therefore not enough to separate the two arms.&nbsp;PhantomEnigma&nbsp;appears to use different delivery chains for&nbsp;different parts&nbsp;of the operation, while reusing infrastructure, themes,&nbsp;and supporting components.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Based on the shared government hosts, matching Pol\u00edcia Civil lures,&nbsp;and&nbsp;sandbox-visible delivery&nbsp;behavior,&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;assesses the link to the same operator with medium-high confidence.&nbsp;Additional&nbsp;email evidence&nbsp;and the installer-to-BAT second-stage connection further strengthen this assessment.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For security teams, recognizing these links matters. Treating the&nbsp;Of\u00edcio-PC activity&nbsp;and the Inno\/Node.js backdoor as unrelated campaigns could hide the true scope of the operation, fragment investigations, delay containment,&nbsp;and increase response&nbsp;and recovery costs.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"677\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image9-1024x677.png\" alt=\"\" class=\"wp-image-22147\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image9-1024x677.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image9-300x198.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image9-768x508.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image9-370x245.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image9-270x179.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image9-740x489.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image9.png 1190w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The BAT script from January malicious campaign<\/em><\/figcaption><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"535\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/imagea-1024x535.png\" alt=\"\" class=\"wp-image-22148\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/imagea-1024x535.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/imagea-300x157.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/imagea-768x401.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/imagea-370x193.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/imagea-270x141.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/imagea-740x387.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/imagea.png 1504w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The BAT script from public research<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">Defining the&nbsp;PhantomEnigma&nbsp;Cluster Boundaries&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">During the investigation,\u00a0analysts\u00a0identified\u00a0several adjacent malware clusters that initially appeared connected to\u00a0PhantomEnigma. These included malicious GitHub releases, a help.bat loader,\u00a0and\u00a0Steal Cactivity linked\u00a0through shared scripts\u00a0and public metadata.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Further analysis showed that these clusters should not be included in the confirmed PhantomEnigma activity based on the available evidence.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"748\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image5-1024x748.png\" alt=\"\" class=\"wp-image-22146\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image5-1024x748.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image5-300x219.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image5-768x561.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image5-370x270.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image5-270x197.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image5-740x540.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image5.png 1086w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The BAT script from new GitHub repo<\/em>&nbsp;<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The help.bat \/ kak[.]is loader uses a logic-identical template across 56 sandbox analyses. Its execution chain includes get_it.php, Base64-encoded data.json, a password-protected archive, file staging in PUBLIC\\Documents, a timed delay, and MSI execution.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, this loader did not overlap with the core PhantomEnigma build-chain and backdoor signals. Instead, it delivered commodity malware such as HijackLoader, Emmenhtal, ClickFix, and other MSI-based payloads. No PhantomEnigma Node.js backdoor was observed in this cluster.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The GitHub-to-StealC activity also showed important differences. It lacked the same installer and backdoor characteristics, used separate infrastructure and registration patterns, and had a different submission profile. The proposed connection relies partly on GitHub commit metadata that is not visible in the sandbox and is not enough on its own to confirm a shared operator.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The evidence therefore supports treating these clusters as adjacent activity that may reuse common tools or distribution methods, rather than confirmed PhantomEnigma operations. Keeping them separate helps maintain accurate attribution and prevents unrelated malware from being grouped into the campaign without sufficient evidence.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"676\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-21.09.10-1024x676.png\" alt=\"\" class=\"wp-image-22149\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-21.09.10-1024x676.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-21.09.10-300x198.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-21.09.10-768x507.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-21.09.10-1536x1014.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-21.09.10-370x244.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-21.09.10-270x178.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-21.09.10-740x489.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-21.09.10.png 1796w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Attribution Assessment&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The evidence supports the existence of a coordinated campaign focused primarily on Brazil. The earliest related activity in the dataset&nbsp;dates to&nbsp;January 13, 2026.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One of the strongest delivery findings involved&nbsp;an&nbsp;email sent from a Brazilian&nbsp;police department. The message passed SPF, DKIM,&nbsp;and DMARC checks,&nbsp;indicating&nbsp;that it was&nbsp;likely sent&nbsp;through a genuinely compromised mailbox rather than&nbsp;from a simply spoofed address. The recovered email&nbsp;and the accompanying \u201cOf\u00edcio&nbsp;Pol\u00edcia Civil\u201d PDF further confirm the use of official-looking police communications as a phishing lure.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"626\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image8-2-1024x626.png\" alt=\"\" class=\"wp-image-22177\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image8-2-1024x626.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image8-2-300x183.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image8-2-768x470.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image8-2-370x226.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image8-2-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image8-2-740x452.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image8-2.png 1310w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Email security flags check inside\u00a0ANY.RUN<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The assessment is supported by several independent technical signals, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A recurring Delphi\/Inno Setup&nbsp;and Node.js build chain&nbsp;<\/li>\n\n\n\n<li>Patched&nbsp;Boostnote&nbsp;applications&nbsp;containing&nbsp;the malicious index.js backdoor&nbsp;<\/li>\n\n\n\n<li>The&nbsp;&lt;name&gt;&nbsp;communication pattern, which sends victim system information, including the computer name&nbsp;and username&nbsp;<\/li>\n\n\n\n<li>Known campaign domains&nbsp;and seed indicators&nbsp;<\/li>\n\n\n\n<li>Compromised Brazilian&nbsp;government infrastructure used across related activity&nbsp;<\/li>\n\n\n\n<li>The&nbsp;classification of&nbsp;taaeiuep[.]com as associated with Inno Setup,&nbsp;Procura\u00e7\u00e3o&nbsp;Digital,&nbsp;and Brazil-focused malicious activity&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Based on this evidence,&nbsp;ANY.RUN&nbsp;assesses with high confidence that the observed campaign is real&nbsp;and primarily focused on Brazil.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The connection between the specific Inno\/Node.js backdoor arm and PhantomEnigma is assessed with medium-high confidence. The build chain, infrastructure, targeting, and backdoor behavior provide strong supporting evidence, but limited public research currently connects the PhantomEnigma name directly to this Boostnote-based backdoor.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> analysts identified 231 sandbox analyses sharing the broader build pattern. Within this group, approximately 108\u2013125 analyses also contained stronger PhantomEnigma indicators. This more tightly attributed core forms the basis of the campaign assessment, while the wider cluster provides additional coverage for threat hunting.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Stay ahead of hidden attack paths.\u00a0\u00a0<\/span><br>\nStrengthen visibility\u00a0and reduce business risk with\u00a0ANY.RUN\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nReduce Business Risk\u00a0<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;Of\u00edcio-PC activity is also linked to the wider operation with medium-high confidence based on shared compromised government hosts, matching Pol\u00edcia Civil lures,&nbsp;and supporting delivery evidence. Adjacent help.bat&nbsp;and&nbsp;StealC&nbsp;clusters were kept separate because the available evidence did not support a confident operator-level connection.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This approach allows defenders to track related activity broadly while maintaining clear boundaries around what can be directly attributed to PhantomEnigma.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detection&nbsp;and Monitoring Recommendations&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Security teams can use the following methods to detect current PhantomEnigma activity and track new infrastructure as the campaign evolves.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1.&nbsp;Analyze&nbsp;suspicious files&nbsp;and links in&nbsp;an&nbsp;interactive&nbsp;sandbox&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Do not stop at&nbsp;an&nbsp;initial&nbsp;clean&nbsp;verdict. Inspect dropped files, process activity, persistence mechanisms, network requests,&nbsp;and second-stage payloads.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/app.any.run\/tasks\/34ee47ce-6571-4f83-8e11-bf04aaef316d\/\" target=\"_blank\" rel=\"noreferrer noopener\">Check PhantomEnigma&nbsp;analysis<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.32.29-1024x569.png\" alt=\"\" class=\"wp-image-22152\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.32.29-1024x569.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.32.29-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.32.29-768x427.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.32.29-1536x853.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.32.29-2048x1138.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.32.29-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.32.29-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.32.29-740x411.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>PhantomEnigma&nbsp;analyzed&nbsp;inside&nbsp;ANY.RUN&nbsp;sandbox<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Re-detonating a sample can&nbsp;also reveal&nbsp;behavior&nbsp;that did not appear during the first&nbsp;analysis, particularly when infrastructure was temporarily unavailable or the malware delayed execution.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Hunt for the malicious index.js backdoor with YARA&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Focus on the recovered backdoor code rather than&nbsp;relying only on domains, file names, or hashes that may change.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The strongest YARA rule combines several recurring characteristics:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The&nbsp;JSON.stringify() beacon structure&nbsp;<\/li>\n\n\n\n<li>COMPUTERNAME&nbsp;and USERNAME collection&nbsp;<\/li>\n\n\n\n<li>The&nbsp;String.fromCharCode&nbsp;decoding method&nbsp;<\/li>\n\n\n\n<li>Persistence&nbsp;through&nbsp;setLoginItemSettings&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">A byte-level rule&nbsp;identified&nbsp;one additional related&nbsp;sandbox&nbsp;analysis outside the original dataset. A broader rule combining&nbsp;Boostnote&nbsp;and the malicious index.js pattern&nbsp;identified&nbsp;six&nbsp;analyses&nbsp;involving .gov.br infrastructure, with no unrelated matches in the reviewed dataset.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These rules should initially be used for investigation&nbsp;and&nbsp;threat&nbsp;hunting until they are tested against a wider sample set.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Detect beacon traffic with Suricata&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Create monitoring alerts for the following patterns in plaintext or decrypted HTTP traffic:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/laravel.php?api=api&amp;hash=&nbsp;<\/li>\n\n\n\n<li>&amp;message=PT1n&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The \/laravel.php&nbsp;pattern appeared in 16&nbsp;sandbox&nbsp;analyses&nbsp;and produced no unrelated matches in the reviewed dataset.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These signatures should first be deployed in monitoring mode so teams can validate them against normal network traffic before using them for automated blocking.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Correlate build-chain&nbsp;and network&nbsp;behavior&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Escalate activity when the recurring&nbsp;PhantomEnigma&nbsp;build chain appears together with one or more network indicators, such as:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A \/laravel.php&nbsp;beacon&nbsp;<\/li>\n\n\n\n<li>A known RAILNET IP address&nbsp;<\/li>\n\n\n\n<li>A system hostname transmitted in a POST request&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This correlation&nbsp;identified&nbsp;59&nbsp;sandbox&nbsp;analyses&nbsp;and revealed malicious network&nbsp;behavior&nbsp;in nine&nbsp;analyses that had initially received clean&nbsp;verdicts.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. Monitor for new compromised government infrastructure&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use the following TI Lookup query to&nbsp;identify&nbsp;activity involving newly compromised Brazilian&nbsp;government hosts:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22domainName:%5C%22.gov.br%5C%22%20AND%20threatName:%5C%22nodejs%5C%22%20AND%20threatName:%5C%22inno*%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;.gov.br&#8221;&nbsp;AND&nbsp;threatName:&#8221;nodejs&#8221;&nbsp;AND&nbsp;threatName:&#8221;inno*&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"586\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.24.13-1024x586.png\" alt=\"\" class=\"wp-image-22153\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.24.13-1024x586.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.24.13-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.24.13-768x439.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.24.13-1536x879.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.24.13-2048x1172.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.24.13-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.24.13-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.24.13-740x423.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup query shows compromised government hosts<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Running this search regularly can&nbsp;help teams detect new delivery infrastructure as the operator moves between compromised hosts.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6. Add validated indicators to security controls&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Send confirmed C2 domains, IP addresses, URLs,&nbsp;and file hashes to SIEM, SOAR, EDR,&nbsp;and network security tools&nbsp;through&nbsp;Threat&nbsp;Intelligence&nbsp;Feeds.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"454\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.38.20-1024x454.png\" alt=\"\" class=\"wp-image-22154\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.38.20-1024x454.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.38.20-300x133.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.38.20-768x340.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.38.20-1536x681.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.38.20-2048x907.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.38.20-370x164.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.38.20-270x120.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-15-at-06.38.20-740x328.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u2019s TI Feeds helping teams to enrich existing systems with fresh IOCs collected from 15.000&nbsp;orgs worldwide&nbsp;<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Compromised .gov.br&nbsp;and .jus.br hosts should be handled separately from attacker-controlled infrastructure. These are legitimate services that have been compromised, so blocking them broadly could disrupt access to government resources.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Combining <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox evidence<\/a>, YARA hunting, network detection, <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, and threat intelligence feeds can help security teams uncover related activity earlier, investigate clean verdicts more effectively, and reduce delays in containment.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Reduce response time by up to\u00a021 minutes per case\u00a0<\/span><br>\nContain\u00a0threats sooner\u00a0and lower investigation costs.\u00a0\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nAccelerate\u00a0Threat\u00a0Response\u00a0 <\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Strategic Recommendations for Security Leaders&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">PhantomEnigma&nbsp;demonstrates how modern campaigns can&nbsp;evade traditional security processes by combining trusted infrastructure, modular malware,&nbsp;and rapidly changing delivery paths. Reducing business risk requires more than&nbsp;adding new IOCs\u2014it requires improving how investigations are prioritized&nbsp;and connected.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Review how &#8220;clean&#8221; verdicts are escalated.<\/strong>&nbsp;<br>Nearly one-third of the&nbsp;analyzed&nbsp;activity initially received a clean&nbsp;verdict. Establish clear escalation criteria for suspicious files delivered&nbsp;through trusted infrastructure, even when automated detections do not classify them as malicious.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Prioritize\u00a0behavioral\u00a0evidence over infrastructure alone.<\/strong>\u00a0<br>Domains, IP addresses,\u00a0and URLs can\u00a0change within days. Detection strategies should also include recurring malware\u00a0behavior, execution chains, persistence mechanisms,\u00a0and network patterns that\u00a0remain stable across campaign updates.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Treat trusted infrastructure as a potential attack vector.<\/strong>&nbsp;<br>Compromised government portals&nbsp;and legitimate email accounts can&nbsp;bypass traditional trust-based controls. Ensure security teams&nbsp;validate&nbsp;the&nbsp;behavior&nbsp;behind trusted senders&nbsp;and domains instead of relying solely on reputation.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Correlate investigations across security&nbsp;solutions.<\/strong>&nbsp;<br>Email alerts, endpoint activity,&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox&nbsp;analysis<\/a>,&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">threat intelligence<\/a>&nbsp;should contribute to a single investigation. Fragmented workflows make coordinated campaigns appear as isolated incidents, delaying containment&nbsp;and increasing response costs.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Continuously&nbsp;monitor&nbsp;campaign evolution.<\/strong>&nbsp;<br>As attackers rotate infrastructure&nbsp;and update malware, detection logic should evolve as well. Regularly review new infrastructure, delivery techniques,&nbsp;and malware variants to prevent existing detections from becoming outdated.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Organizations that combine&nbsp;behavioral&nbsp;sandbox&nbsp;analysis with continuously updated&nbsp;threat&nbsp;intelligence can&nbsp;identify&nbsp;coordinated campaigns earlier, reduce investigation time,&nbsp;and limit the operational&nbsp;and&nbsp;financial impact&nbsp;of evolving&nbsp;threats.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What to Expect Next&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Weekly C2 rotation is likely to continue. New random .com domains may replace&nbsp;psznaoehteeh[.]com, while more police-themed&nbsp;typosquats&nbsp;may appear. One candidate,&nbsp;oficiospolicia[.]com, is already surfacing.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The\u00a0compromised .gov.br delivery network may also continue to grow. At least 20 hosts have been\u00a0observed, showing that the operator still relies on compromised government infrastructure to make malicious activity appear more trustworthy.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Detection may improve, but the visibility gap is unlikely to disappear. Plaintext HTTP beacons are&nbsp;relatively easy&nbsp;to&nbsp;identify, but the operator can&nbsp;move behind HTTPS&nbsp;and Cloudflare, as already seen with \/nbw\/. When this happens, domains&nbsp;and network paths become less useful, while build-chain&nbsp;analysis&nbsp;and YARA-based detection remain effective.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There is also a possibility that the GitHub-to-StealC&nbsp;and&nbsp;ClickFix&nbsp;activity belongs to the same operator. If future evidence confirms this link,&nbsp;PhantomEnigma\u2019s&nbsp;capabilities would be broader than&nbsp;currently assessed.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Security teams should therefore avoid relying on domain blocklists alone. Continuous <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox analysis<\/a>, <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a> monitoring, YARA hunting, and fresh threat intelligence feeds can help detect new infrastructure, review clean verdicts, and keep protection current as the campaign changes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">PhantomEnigma&nbsp;remains&nbsp;difficult to track because its infrastructure changes faster than&nbsp;its code. Domains rotate&nbsp;weekly,&nbsp;compromised government portals change over time,&nbsp;and some malicious samples still receive clean&nbsp;verdicts. The most reliable signal is the recurring build chain: a Delphi-compiled Inno Setup installer that deploys a patched Electron application&nbsp;containing&nbsp;an&nbsp;obfuscated index.js backdoor.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Using&nbsp;ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive&nbsp;Sandbox<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat&nbsp;Intelligence<\/a>, our&nbsp;analysts connected activity spread across clean&nbsp;verdicts, rotating infrastructure,&nbsp;and several delivery arms.&nbsp;Sandbox&nbsp;analysis exposed the execution chain, dropped files, persistence,&nbsp;and live network behavior, while TI Lookup&nbsp;and YARA helped&nbsp;identify&nbsp;related activity beyond known domains&nbsp;and file hashes.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The investigation also showed why careful attribution matters. Shared tools, hosting providers, or naming patterns are not enough to prove that separate clusters belong to the same operator. By combining code-level evidence, infrastructure&nbsp;analysis, vendor corroboration,&nbsp;and live re-detonation,&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;analysts documented a second&nbsp;PhantomEnigma&nbsp;beacon generation not covered in&nbsp;previous&nbsp;public research.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Security teams can&nbsp;apply these findings to hunt for the stable build chain, investigate clean&nbsp;analyses with matching network behavior,&nbsp;monitor&nbsp;compromised government infrastructure,&nbsp;and add validated C2 indicators to their security controls.&nbsp;ANY.RUN&nbsp;provides the&nbsp;sandbox&nbsp;visibility&nbsp;and&nbsp;threat&nbsp;intelligence needed to detect related activity earlier, shorten investigations,&nbsp;and&nbsp;contain&nbsp;compromise before it creates wider business impact.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About&nbsp;ANY.RUN&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN<\/strong><\/a>\u00a0is a leading provider of interactive malware\u00a0analysis\u00a0and threat intelligence solutions trusted by more than\u00a015,000 organizations worldwide, including 74 of the Fortune 100. \u2028Its\u00a0<strong><a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a><\/strong> and\u00a0<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomenigma-research&amp;utm_term=160726&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threat Intelligence<\/strong><\/a>\u00a0solutions help SOC teams\u00a0analyze suspicious \u2028files\u00a0and URLs, uncover malicious behavior, enrich alerts with actionable context,\u00a0and connect related activity across files, infrastructure,\u00a0and campaigns. This enables faster investigations, more confident response decisions,\u00a0and earlier containment of threats before they create\u00a0wider\u00a0business impact.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MITRE ATT&amp;CK<\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-350\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"15\"\n           data-wpID=\"350\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-bc-FFFFFF\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Tactic\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-bc-FFFFFF\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Technique (ID)\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-bc-FFFFFF\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Evidence\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Resource Development\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Compromise Infrastructure (T1584)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        >=20 compromised.gov[.]br\u00a0portals + mail servers (SPF\/DKIM\/DMARC pass)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Initial Access\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Spearphishing\u00a0Link (T1566.002)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        compromised Pol\u00edcia Civil \/ \"Procura\u00e7\u00e3oDigital\" leading to a download link\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        User Execution: Malicious File (T1204.002)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        victim runs the Inno-Setup installer\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        JavaScript (T1059.007)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        index.js\u00a0eval()\u00a0\/taskExecute\u00a0in the Electron runtime\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        PowerShell (T1059.001)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        stdin-fed\u00a0powershell\u00a0-ExecutionPolicyUnrestricted\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Defense Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Obfuscated Files (T1027)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        charCodeAt\u00a0self-deobfuscatingindex.js; Inno packing\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Defense Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Masquerading (T1036)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        patched\u00a0Boost Note.exerenamedGrape.exe; word-salad install\u00a0dirs\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Defense Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Sandbox\u00a0Evasion (T1497)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        sc\u00a0query \"Warsaw Technology\", WMI VM checks (part of the clean\u00a0bucket)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Persistence\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Registry Run Keys (T1547.001)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        index.js\u00a0sets HKCU \u2026\\Run +setLoginItemSettings\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Persistence\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Scheduled Task (T1053.005)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        KalebAutoRun\u00a0(sibling\u00a0getloader\u00a0arm)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        System \/ Domain Info (T1082 \/ T1016)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C12\"\n                    data-col-index=\"2\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        echo %COMPUTERNAME%.%USERDNSDOMAIN%recon\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Command & Control\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Web Protocols (T1071.001)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C13\"\n                    data-col-index=\"2\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        hxxp\u00a0\/laravel.php\u00a0+\/nbw\/\u00a0base64\/JSON\u00a0sysinfo\u00a0beacon\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A14\"\n                    data-col-index=\"0\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Command & Control\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B14\"\n                    data-col-index=\"1\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Proxy (T1090)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C14\"\n                    data-col-index=\"2\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Cloudflare fronting of delivery C2\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A15\"\n                    data-col-index=\"0\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Exfiltration\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B15\"\n                    data-col-index=\"1\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Exfil Over C2 (T1041)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C15\"\n                    data-col-index=\"2\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        COMPUTERNAME+USERNAME+mutex\u00a0in the beacon body\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-350'>\ntable#wpdtSimpleTable-350{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-350 td, table.wpdtSimpleTable350 th { white-space: normal !important; }\n.wpdt-bc-FFFFFF { background-color: #FFFFFF !important;}\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">IOCs &amp; Artifacts&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Compromised gov domains:<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<ul class=\"wp-block-list\">\n<li>areal.rj.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>camaradelassance.mg.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>camaraparaguacu.sp.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>circ.rs.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>condemat.sp.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ferrazdevasconcelos.sp.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>floresdegoias.go.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>funrespol.pc.ro.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>lontra.mg.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>marapoama.sp.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>pinhalgrande.rs.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>poa.sp.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>protocolo.sorocaba.sp.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>seplag.mt.gov[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>policiacivil.pe.gov[.]br&nbsp;<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Compromised gov URLs:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/arcese.urlsand.com\/?u=hxxps%3A%2F%2Fcamaraparaguacu.sp.gov[.]br%2Foficio%2Fx2eDBGceCF&amp;e=dd4b7717&amp;h=be3cf1fa&amp;f=y&amp;p=y&amp;m=4gql0c4CXBz334D&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/camaradelassance.mg.gov[.]br&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/camaraparaguacu.sp.gov[.]br\/doc&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/camaraparaguacu.sp.gov[.]br\/doc\/DcUXKm\/S7q88t&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/camaraparaguacu.sp.gov[.]br\/doc\/DzAe8Sxvca&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/camaraparaguacu.sp.gov[.]br\/doc\/i00hqHrGFr&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/camaraparaguacu.sp.gov[.]br\/doc\/js[.]brnUl8Z&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/camaraparaguacu.sp.gov[.]br\/doc\/naNXNW0tQ7&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/camaraparaguacu.sp.gov[.]br\/doc\/R0RU5TEpc2&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/camaraparaguacu.sp.gov[.]br\/doc\/wsVPWyP0iL&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/camaraparaguacu.sp.gov[.]br\/oficio\/mGeI1KrXIT&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/cas5-0-urlprotect.trendmicro.com\/wis\/clicktime\/v1\/query?url=hxxps%3a%2f%2fpoa.sp.gov[.]br%2fdown.php&amp;umid=a1a41f4a-228b-4622-9a1f-5fd4cbc68d26&amp;rct=1779114363&amp;auth=18576cf8abd7812271cef15c8c401c7207caa231-a9e499076e60cd525b23d7c667f1929bc0a9b294&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/circ.rs.gov[.]br\/OficioDigital.exe&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/condemat.sp.gov[.]br\/certificate\/APL3SJ9e\/723406349\/&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/ferrazdevasconcelos.sp.gov[.]br\/down.php&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/floresdegoias.go.gov[.]br\/levantamento\/v6aq7x\/prm9yG&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/lontra.mg.gov[.]br\/arquivo.php&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/marapoama.sp.gov[.]br\/doc\/4h7Bae\/Mn9K3N&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/marapoama.sp.gov[.]br\/documento\/L5fHnY\/d13mLf&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/marapoama.sp.gov[.]br\/levantamento\/M5nkwP\/dM0CgC&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/marapoama.sp.gov[.]br\/oficio\/LA9ks3d\/ldo9JodAS\/vYnerL\/fkeA5r&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/poa.sp.gov[.]br\/doc\/k9l00oFolA\/4mZKTCE4ex&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/poa.sp.gov[.]br\/doc\/KhDvexT9QX\/t4iVaErskj&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/poa.sp.gov[.]br\/doc\/wBvCEwP3tO\/oSKmMKG1sw&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/poa.sp.gov[.]br\/documento\/3QFKMM71\/527058494\/&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/poa.sp.gov[.]br\/download\/7552PRc3\/544840142\/&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/poa.sp.gov[.]br\/oficio\/anexo\/VQC7WEcf&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/protocolo.sorocaba.sp.gov[.]br\/protocolo\/kitsigns.jsp?yd=DtmcOmPD4GdPF9H06LU6tVN8lm2467QxWGDEOmFL0qWjScIylunV8re%2B0cZMiJ6O&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/protocolo.sorocaba.sp.gov[.]br\/protocolo\/signkit.jsp?yd=5F8bz2Lapfi%2Bf41ZRmsNAtfvOls6zkkpOSPYO4UqALf0x8Hv%2BZcPRgcBznBl0tH&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/url.de.m.mimecastprotect.com\/s\/cFJoCr2PqncDzNRl7U7fmf4fQ3q?domain=camaraparaguacu.sp.gov[.]br&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/www.funrespol.pc.ro.gov[.]br\/procedimento\/aQbax7Lq4R&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps:\/\/www.pinhalgrande.rs.gov[.]br\/down.php&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Malicious domains:<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<ul class=\"wp-block-list\">\n<li>188.137.246[.]189 91.92.241[.]181&nbsp;&nbsp;<\/li>\n\n\n\n<li>dahieenloo[.]com&nbsp;&nbsp;<\/li>\n\n\n\n<li>eeresofeuae[.]com <\/li>\n\n\n\n<li>logs.zabbxsoftware[.]com\u00a0\u00a0<\/li>\n\n\n\n<li>oauth.openvpnet[.]com&nbsp;&nbsp;<\/li>\n\n\n\n<li>oficiospolicia[.]com&nbsp;&nbsp;<\/li>\n\n\n\n<li>pccvill[.]com&nbsp;&nbsp;<\/li>\n\n\n\n<li>pccvioo[.]com&nbsp;&nbsp;<\/li>\n\n\n\n<li>psznaoehteeh[.]com&nbsp;&nbsp;<\/li>\n\n\n\n<li>zsxocjarsate[.]com&nbsp;<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Load-bearing indicators:<\/strong>\u00a0<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fingerprint<\/strong>:\u00a0tags\u00a0delphi\u00a0\u2227\u00a0inno\u00a0\u2227 installer \u2227\u00a0nodejs\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Backdoor protocol:<\/strong>\u00a0*\/laravel.php?api=api&amp;hash=*&amp;message=PT1n*\u00a0(GET, base64 in URL)\u00a0and\u00a0POST *\/nbw\/\u00a0(JSON\u00a0[id, COMPUTERNAME, USERNAME, tag];\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Beacon C2:<\/strong>\u00a0185.219.83[.]191,\u00a0188.137.246[.]189\u00a0(AS214943 RAILNET).\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Delivery C2:<\/strong>\u00a0policiacivilmg[.]com,\u00a0dahieenloo[.]com,\u00a0pccvill[.]com,\u00a0pccvioo[.]com,\u00a0taaeiuep[.]com,\u00a0psznaoehteeh[.]com,\u00a0eeresofeuae[.]com,\u00a0zsxocjarsate[.]com.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Origin:<\/strong>&nbsp;158.94.208[.]120&nbsp;\/&nbsp;91.92.241[.]181&nbsp;(AS202412 OMEGATECH-AS, Seychelles).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Anchor hash:<\/strong>&nbsp;Procuracao_Digital.exe&nbsp;sha256&nbsp;e0dae1a04b7a3b2ae07377b0fd00681e9633532788870b3709a9e149f3ccf0e0.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dropped backdoor hash:<\/strong>\u00a0index.js\u00a0sha256\u00a071f6997866\u20262ab71c.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Sibling arm:<\/strong>\u00a0novoservidor2026[.]com\u00a0+\u00a0KalebAutoRun\u00a0(21\/21 malicious, disjoint).\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Of\u00edcio\u00a0delivery arm:<\/strong>\u00a0zabbxsoftware[.]com,\u00a0oauth.openvpnet[.]com\u00a0(rotated kit \/ CS C2),\u00a0195.177.94[.]103\u00a0\/\u00a0.193,\u00a079.110.49[.]32; CS\/Shellter\u00a0loader\u00a07de52b73\u2026296e1f64.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Compromised delivery:<\/strong>\u00a0timon.ma.gov[.]br,\u00a0protocolo.sorocaba.sp.gov[.]br,\u00a0prodoc.ap.gov[.]br,\u00a0portaldrh.tjba.jus[.]br,\u00a0marapoama.sp.gov[.]br,poa.sp.gov[.]br,\u00a0loginam.sesp.es.gov[.]br,\u00a0aplicacao.cbm.mt.gov[.]br.\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Example detonations:<\/strong>\u00a0<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/b842921c-adbb-4286-a174-a8dc69450d32\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/b842921c-adbb-4286-a174-a8dc69450d32<\/a>&nbsp;(representative core; beacons live to&nbsp;185.219.83[.]191&nbsp;yet verdict = clean)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/ed34b2bd-123f-4463-9c75-856118618c29\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/ed34b2bd-123f-4463-9c75-856118618c29<\/a>\u00a0; live\u00a0POST\u00a0zsxocjarsate[.]com\/nbw\/, verdict Malicious)\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/41ce7f62-d97e-4c84-9f70-dfb5fafcfb39\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/41ce7f62-d97e-4c84-9f70-dfb5fafcfb39<\/a>&nbsp;(C2 beacon pierces Cloudflare, reaching the OMEGATECH origin)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/2803b131-be65-428a-b00d-4217c55dd605\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/2803b131-be65-428a-b00d-4217c55dd605<\/a>&nbsp;(.gov[.]br&nbsp;delivery)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Sources<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Positive Technologies (PT\u2011ESC),&nbsp;<em>Operation Phantom Enigma<\/em>,&nbsp;https:\/\/global.ptsecurity.com\/en\/research\/pt-esc-threat-intelligence\/operation-phantom-enigma\/: actor, Brazil-first victimology, extension-banker arm.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Positive Technologies (PT\u2011ESC),&nbsp;<em>Phantom in the flesh: new attacks by Phantom Enigma<\/em>,&nbsp;https:\/\/global.ptsecurity.com\/en\/research\/pt-esc-threat-intelligence\/phantom-in-the-flesh-new-attacks-by-phantom-enigma\/:&nbsp;getloader.php,&nbsp;KalebAutoRun, MSI banker&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Hacker News,&nbsp;<em>Malicious Browser Extensions Infect Over 722 Users Across Latin America<\/em>&nbsp;(2025\u201106): 722-install corroboration.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>abuse.ch&nbsp;ThreatFox:&nbsp;taaeiuep[.]com&nbsp;INNOSETUP+ProcuracaoDigital+brazil&nbsp;(conf 75)&nbsp;and&nbsp;45.141.119[.]188&nbsp;win.stealc,&nbsp;hxxps:\/\/threatfox.abuse[.]ch.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ANY.RUN&nbsp;Threat&nbsp;Intelligence, the&nbsp;PhantomEnigma&nbsp;boostnote\/Node.js\/DGA-arm writeup (hunt seed): the only source naming the&nbsp;boostnote\/laravel.php&nbsp;arm.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Of\u00edcio-PC arm: Pol\u00edcia Civil SC public QR-summons alert;&nbsp;ANY.RUN&nbsp;<em>agenteV2<\/em>&nbsp;blog&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Special Thanks&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We would like to thank <a href=\"https:\/\/x.com\/rifteyy\" target=\"_blank\" rel=\"noreferrer noopener\">Rifteyy<\/a>, an <a href=\"https:\/\/rifteyy.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Independent Malware Analyst<\/a>, for sharing an interesting lead that helped set this investigation in motion. The tip gave our researchers a valuable starting point for further analysis and validation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN&nbsp;supports open collaboration across the security community. If you have relevant samples or would like to work with us on a joint investigation, contact our team. By sharing&nbsp;expertise&nbsp;and findings, we can&nbsp;expose malicious activity faster&nbsp;and make the&nbsp;threat&nbsp;landscape safer for everyone.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An&nbsp;original&nbsp;threat&nbsp;intelligence investigation&nbsp;uncovering how trusted government infrastructure became&nbsp;an&nbsp;attack channel, placing banking organizations&nbsp;and public-sector systems at risk while revealing previously undocumented infrastructure relationships&nbsp;and actionable mitigation guidance for security leaders.&nbsp; ANY.RUN analysts have uncovered an active PhantomEnigma campaign abusing compromised government infrastructure and fake police-themed documents to target banking and public-sector organizations in Brazil. Trusted emails and legitimate [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":22166,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[80],"tags":[57,10,34],"class_list":["post-22131","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-reports","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>20+ Government Websites Hijacked: PhantomEnigma Investigation<\/title>\n<meta name=\"description\" content=\"ANY.RUN uncovers how PhantomEnigma abused 20+ Brazilian government websites, hid behind trusted infrastructure, and put banks and public agencies at risk.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ShiFu\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"26 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/\"},\"author\":{\"name\":\"ShiFu\",\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"headline\":\"Hidden Infrastructure Exposed:\u00a0ANY.RUN Reveals Hijacked Gov Websites Delivering Malware\u00a0\",\"datePublished\":\"2026-07-16T08:51:30+00:00\",\"dateModified\":\"2026-07-16T11:57:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/\"},\"wordCount\":6693,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/PhantomEnigma_cover-scaled.png\",\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Reports\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/\",\"name\":\"20+ Government Websites Hijacked: PhantomEnigma Investigation\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/PhantomEnigma_cover-scaled.png\",\"datePublished\":\"2026-07-16T08:51:30+00:00\",\"dateModified\":\"2026-07-16T11:57:58+00:00\",\"description\":\"ANY.RUN uncovers how PhantomEnigma abused 20+ Brazilian government websites, hid behind trusted infrastructure, and put banks and public agencies at risk.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/#primaryimage\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/PhantomEnigma_cover-scaled.png\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/PhantomEnigma_cover-scaled.png\",\"width\":2560,\"height\":1243,\"caption\":\"PhantomEnigma\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/phantomenigma-research\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Reports\",\"item\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/category\\\/reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Hidden Infrastructure Exposed:\u00a0ANY.RUN Reveals Hijacked Gov Websites Delivering Malware\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/any.run\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\\\/\\\/any.run\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/www.any.run\\\/\",\"https:\\\/\\\/x.com\\\/anyrun_app\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/30692044\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ShiFu\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/image-17.png\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/image-17.png\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/image-17.png\",\"caption\":\"ShiFu\"},\"description\":\"I'm a Threat Intelligence Analyst focused on tracking cybercriminal groups and other malicious activity clusters. I previously worked as an Application Security Engineer and have a background in CTF competitions, with experience in offensive security, malware analysis, and application security.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"20+ Government Websites Hijacked: PhantomEnigma Investigation","description":"ANY.RUN uncovers how PhantomEnigma abused 20+ Brazilian government websites, hid behind trusted infrastructure, and put banks and public agencies at risk.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/","twitter_misc":{"Written by":"ShiFu","Est. reading time":"26 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/"},"author":{"name":"ShiFu","@id":"https:\/\/any.run\/"},"headline":"Hidden Infrastructure Exposed:\u00a0ANY.RUN Reveals Hijacked Gov Websites Delivering Malware\u00a0","datePublished":"2026-07-16T08:51:30+00:00","dateModified":"2026-07-16T11:57:58+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/"},"wordCount":6693,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"image":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/#primaryimage"},"thumbnailUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/PhantomEnigma_cover-scaled.png","keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Reports"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/","url":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/","name":"20+ Government Websites Hijacked: PhantomEnigma Investigation","isPartOf":{"@id":"https:\/\/any.run\/"},"primaryImageOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/#primaryimage"},"image":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/#primaryimage"},"thumbnailUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/PhantomEnigma_cover-scaled.png","datePublished":"2026-07-16T08:51:30+00:00","dateModified":"2026-07-16T11:57:58+00:00","description":"ANY.RUN uncovers how PhantomEnigma abused 20+ Brazilian government websites, hid behind trusted infrastructure, and put banks and public agencies at risk.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/#primaryimage","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/PhantomEnigma_cover-scaled.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/PhantomEnigma_cover-scaled.png","width":2560,"height":1243,"caption":"PhantomEnigma"},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/phantomenigma-research\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Reports","item":"https:\/\/any.run\/cybersecurity-blog\/category\/reports\/"},{"@type":"ListItem","position":3,"name":"Hidden Infrastructure Exposed:\u00a0ANY.RUN Reveals Hijacked Gov Websites Delivering Malware\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/x.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ShiFu","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-17.png","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-17.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-17.png","caption":"ShiFu"},"description":"I'm a Threat Intelligence Analyst focused on tracking cybercriminal groups and other malicious activity clusters. I previously worked as an Application Security Engineer and have a background in CTF competitions, with experience in offensive security, malware analysis, and application security.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/22131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=22131"}],"version-history":[{"count":39,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/22131\/revisions"}],"predecessor-version":[{"id":22209,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/22131\/revisions\/22209"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/22166"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=22131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=22131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=22131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}