Operation Phantom Enigma

SUMMARY :

A malicious campaign targeting primarily Brazilian residents has been discovered, with attacks detected since early 2025. The attackers employed phishing emails, some sent from compromised company servers, to distribute malware. Two attack chains were identified: one using a malicious browser extension for Google Chrome, Microsoft Edge, and Brave, and another utilizing Mesh Agent or PDQ Connect Agent. The campaign aimed to steal authentication data from victims' bank accounts, particularly targeting Banco do Brasil customers. Over 700 downloads of the malicious extension were recorded, affecting users in Brazil, Colombia, Czech Republic, Mexico, Russia, Vietnam, and other countries. The attackers used sophisticated techniques, including virtualization checks, UAC bypass, and file deletion to evade detection.

OPENCTI LABELS :

powershell,phishing,stealer,banking,browser extension,mesh agent,pdq connect agent


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Operation Phantom Enigma