Emerging Cyber Threat: Malicious Extension Targets Brazilian Users

Cybersecurity experts have recently uncovered a concerning campaign aimed at users in Brazil, which has been ongoing since early 2025. This operation primarily deploys a harmful extension for Chromium-based browsers, designed to extract sensitive user authentication information.

Phishing Tactics to Initiate the Attack

The campaign initiates through cleverly crafted phishing emails that masquerade as invoices. These emails serve as the gateway, enticing recipients to either download a malicious file linked within or to open an attachment that has been concealed within an archive. According to Klimentiy Galkin, a security researcher at Positive Technologies, several of these phishing messages have been dispatched from compromised servers belonging to actual companies. This tactic significantly enhances the likelihood of successfully deceiving recipients into falling for the scam.

Operation Phantom Enigma

The Russian cybersecurity firm tracking these activities has dubbed the initiative "Operation Phantom Enigma." Their analysis indicates that the malicious extension has been downloaded over 720 times, impacting users from Brazil, Colombia, the Czech Republic, Mexico, Russia, and Vietnam. Approximately 70 unique companies have been identified as victims, with initial details about this campaign being shared by a researcher on the social platform X in April 2025.

The Mechanics Behind the Attack

Once a recipient activates the phishing email, a multi-phase process begins. The embedded files contain a batch script that starts a PowerShell script. This script performs various checks, including verifying whether it’s operating in a virtual environment and whether a specific security software called Diebold Warsaw is installed. Warsaw, developed by GAS Tecnologia, is utilized in Brazil to secure banking and e-commerce transactions.

Disabling Security Features for Persistence

The PowerShell script executes more nefarious functions, such as disabling User Account Control (UAC) and configuring the same batch script to launch automatically whenever the system is rebooted. This allows the attackers to maintain a presence on the infected machine while connecting to a remote command server.

Command List of the Malicious Script

The attackers have implemented a robust command list that allows them to manipulate the compromised system:

• PING: Sends a "PONG" response to the server to confirm connectivity.
• DISCONNECT: Stops the currently running script on the victim’s machine.
• REMOVEKL: Uninstalls the script from the system.
• CHECAEXT: Checks the Windows Registry for the malicious browser extension, indicating its presence or absence.
• START_SCREEN: Installs the malicious extension in the browser without user interaction.

The identified extensions associated with this operation have already been removed from the Chrome Web Store to prevent further exploitation.

Diverse Attack Delivery Methods

Different variations of the attack have also been observed. In certain instances, attackers replace the initial batch script with Windows Installer and Inno Setup files that aim to deliver the malicious extensions. Notably, this add-on executes harmful JavaScript when a user is on a web page tied to Banco do Brasil. This functionality sends a user’s authentication token back to the attackers’ server while also posing a potential threat by displaying malicious content on the bank’s web interface.

Geographic Linguistic Cues in Command Execution

Interestingly, some of the commands issued by the cybercriminals contain German terms, which might hint at the attackers’ location or suggest that the code could have been adapted from other sources. This indicates an effort to broaden their reach, targeting both businesses and average Brazilian users through deceptive invoice-related communications.

Conclusion: A Call for Vigilance

The findings from Positive Technologies underscore the unique tactics being employed by cybercriminals in Latin America, focusing not just on the exploitation of malicious browser extensions but also on the use of installer files for distribution purposes. The intelligence reveals how critical it is for organizations and individual users to remain vigilant against such evolving threats, especially amidst the sophisticated tactics used to carry out these attacks.

By staying informed and cautious about unexpected emails and downloads, users can better protect themselves from falling victim to these cyber threats.