20+ Hijacked Government Websites Became an Attack Channel
More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN. The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and mult…
Intelligence analysis by Llama

A PhantomEnigma campaign hijacked over 20 Brazilian government websites, using them as trusted delivery infrastructure for malware. The campaign involved fake police-themed documents, compromised email accounts, and a modular Inno/Node.js backdoor capable of executing JavaScript and delivering additional payloads.
Imagine you get an email that looks like it's from the police or a government agency. It might have a fake police-themed document or a link that looks like a legitimate government resource. If you click on it, you might get malware on your computer. This is what happened in a recent campaign where over 20 government websites in Brazil were hijacked and used to deliver malware. It's like a trusted friend giving you a bad gift - you wouldn't suspect anything, but it could still harm you.
Analysis
A $60B Vote of Confidence in Malware Delivery Channels
The recent PhantomEnigma campaign has shown how attackers can turn trusted infrastructure into a detection advantage. By hijacking over 20 Brazilian government websites, the attackers were able to use these legitimate portals as a trusted delivery channel for malware. This approach is particularly concerning for banks and public-sector organizations, as it can expose internal systems, sensitive data, and financial operations to risk.
Why Cursor? The Campaign's Evolution
The PhantomEnigma campaign began with banking-focused activity in 2025, but it evolved to abusing compromised .gov.br websites and email accounts in 2026. This change in tactics gave the campaign a more trusted route to victims without confirming a new target group. The malware also evolved from a browser-extension banker into a modular Inno/Node.js backdoor capable of executing JavaScript and delivering additional payloads.
The Road Ahead: Containing the Risk
The risk of this campaign extends beyond one compromised endpoint. Stolen credentials and persistent backdoor access can expose internal systems, sensitive data, and financial operations to risk. Security teams should give employees a safe way to report suspicious official-looking messages and investigate them beyond the initial verdict. Behavioral analysis and continuous threat hunting provide more reliable coverage as the campaign evolves.
Key points
- Over 20 Brazilian government websites were hijacked and used as malware delivery channels in a PhantomEnigma campaign.
- The campaign involved fake police-themed documents, compromised email accounts, and a modular Inno/Node.js backdoor.
- The malware was capable of executing JavaScript and delivering additional payloads.
- The risk of this campaign extends beyond one compromised endpoint, exposing internal systems, sensitive data, and financial operations to risk.
If this development plays out positively, security teams may be able to develop more effective strategies for detecting and containing malware campaigns that use trusted infrastructure. This could involve improving employee reporting mechanisms and investing in behavioral analysis and continuous threat hunting.
If this development plays out negatively, the risk of malware campaigns using trusted infrastructure could increase, leading to more widespread attacks and greater exposure of sensitive data and financial operations.



