A recent malicious campaign called Operation Phantom Enigma uses a mix of malicious browser extensions to bypass traditional security measures and phishing tactics to steal sensitive data from major financial institutions. Experts believe it reflects a growing trend of multi-vector attacks to maximize victim reach.
It infects Chromium-based web browsers such as Google Chrome, Microsoft Edge, and Brave browsers, and utilizes Remote Access Tools (RATs) like Mesh Agent and PDQ Connect Agent.
Discovered by Positive Technologies specialists in early 2025, the campaign primarily targets Brazilian residents. Companies in other countries like Vietnam, Colombia, and Russia have also been impacted.
How the attack works
It begins with the victim receiving phishing emails disguised as invoices, which trigger the process of deploying the malicious browser extension. Recipients are encouraged to open a malicious attachment within an archive or download a file from an embedded link.
The files downloaded are BAT scripts, Windows Installers (MSI), or Inno Setup installers that manage to install these malicious extensions, avoid detection, and target Warsaw Technology, a widely-used banking software in Brazil. This suggests the campaign was created specifically to target the Brazilian banking system. Once the malware is installed, they are able to continually harvest data while evading detection.
After the malicious extensions are installed, they harvest login data and transmit it to command-and-control servers. It can also execute malicious JavaScript code when the user visits a page associated with Banco do Brasil. It may send the user’s authentication token and a request to the attackers’ server or display a malicious QR code on the bank’s web page.
At the same time, RATs can compromise the infrastructure of entire organizations by allowing attackers to move across infected networks. This also leads to one factor increasing success — some of the phishing emails were sent from the servers of compromised companies. The malicious extension had been downloaded more than 700 times from the Chrome webstore before being removed.
As always, to avoid being caught up in such a scheme, be very vigilant when it comes to email attachments. When in doubt, don’t download or click anything, when in doubt and never share your authentication details over email.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.