Cybersecurity researchers shed light on a new company aimed at Brazilian users since the beginning of 2025 to infect users with malicious web browsers based on chromium and Siphon authentication data.
“Some of the phishing emails were sent from the servers compromised companies, increasing the chances of a successful attack,” a positive Klimntiy technology security researcher – Note In the report. “The attackers used malicious expansion for Google Chrome, Microsoft Edge and brave browsers, as well as a network agent and a PDQ Connect Agent.”
A Russian cybersecurity company that tracks activity called Phantom Enigma OperationHe said that the malicious expansion was loaded 722 times from Brazil, Colombia, Czech Republic, Mexico, Russia and Vietnam. 70 unique victim companies were discovered. Some aspects of the company were disclosed in early April by a researcher who goes via pseudonym @Johnk3r On X.
The attack begins with phishing emails disguised in accounts that cause a multi -stage process to deploy the browser expansion. The messages call on the recipients to download the file from the built -in link or open the malicious attachment contained in the archive.
The files contain a party scenario responsible for downloading and launching the PowerShell script, which in turn performs a number of checks to determine whether it works in a virtual setting and a software called Diebold Warsaw.
Gas Tecnologia, Warsaw is a safety plugin used to provide bank and electronic commercial transactions over the Internet and mobile devices in Brazil. It is worth noting that Latin American Trojans, such as kasbaneiro, included similar features as disclosed From ESET in October 2019.
The PowerShell scenario is also designed to disconnect the user account (UAC), customizing the above -mentioned package scenario, which will be launched automatically when rebooting the system, and set a connection with the remote server to expect further commands.
The list of supported commands is as follows –
- Ping – Send a heartbeat message to the server by sending a “pong”
- Disable – Stop the current script process in the victim system
- Remove – Delete the scenario
- Checaex
- Start_screen – Set the extension in the browser by changing Explayinstallforforcelist A policy that defines the list of applications and extensions that can be installed without interaction with users
Identified extensions (IDs NPLFCHPAHIHEEEEEEEEEEEEEEEEEEEEEEEEEEEEEGGGGGLE, CKKJDIIMHLANONHCHGKFJLMJENPMFM and LKPIODMPJDHHHHHHHHHGGGGDGDGDFLI have already been removed from the Chrome webca.
Other attack chains change the initial package script for installing Windows and Inno Setup installation used to deliver extensions. The positive technology app is equipped to perform the malicious JavaScript malicious code when the Active Browser tab matches the Banco Do Brasil web page.
In particular, it sends the user authentication marker and request for the attackers’ server to most likely display the victim’s download screen (Warten or Schlieben_warten) or serve the harmful QR -frame on the bank (CODE_ZUM_LESN). The presence of German words for teams can either hint at the location of the attacker, or that the source code has been converted from somewhere.
The fact that it seems that the efforts to maximize the number of potential victims, unknown operators found that they use baits related to accounts, to distribute installation and deployment of remote access software, such as Meshcentral Agent or PDQ Connect Agent, not with expansion.
Positive technologies have stated that they also identified an open catalog that belongs to the auxiliary scenarios containing links with the parameters that included the Enigmacebersecurity ID (“
“The study emphasizes the use of rather unique methods in Latin America, including malicious expansion and distribution of the browser using the installation of Windows installation and the installation of Inno,” Galkin said.
“Files in the open catalog of the attackers show that the infection companies were necessary to restrain the distribution of letters on their behalf. However, the focus in the attacks remained on ordinary Brazilian users. The purpose of the attackers is to steal data on authentication from the affected bank accounts.”
