Since its launch in 2025, cybersecurity researchers have shed light on a new campaign targeting Brazilian users, infecting users with a chrome-based web browser and malicious extensions to Siphon user authentication data.
“Some of the phishing emails were sent from the servers of compromised companies, increasing the chances of successful attacks,” Positive Technologies Security Researcher Klimentiy Galkin said in the report. “The attacker used malicious extensions for Google Chrome, Microsoft Edge, and Brave Browser, as well as Mesh Agent and PDQ Connect agents.”
Russian cybersecurity company tracking activities under the name Operation Phantom Enigmasaid the malicious extensions have been downloaded 722 times from Brazil, Colombia, the Czech Republic, Mexico, Russia, Vietnam and others. Up to 70 unique victim companies have been identified. Several aspects of the campaign were disclosed in early April by researchers going with the alias @Johnk3r in X.
The attack starts with a phishing email disguised as an invoice that triggers a multi-stage process to deploy a browser extension. This message encourages recipients to download files from embedded links or to open malicious attachments contained within the archive.
The files reside in the batch scripts that are responsible for downloading and launching PowerShell scripts. This will perform a series of checks to determine whether it is running in a virtualized environment and whether a software called Diebold Warsaw exists.
Developed by Gas Tecnologia, Warsaw is a security plugin used to protect banking and e-commerce transactions through Brazil’s internet and mobile devices. It is noteworthy that Latin American bank Trojans like Casbaneiro incorporate similar features, as disclosed by ESET in October 2019.
The PowerShell script is designed to disable User Account Control (UAC) and configures the above batch script that starts automatically upon system restart to set up persistence, establish a connection with the remote server and wait for more commands.
Here is a list of supported commands:
- ping – send a “pon” accordingly and send a heartbeat message to the server
- Disconnect – Stop the current scripting process on the victim’s system
- removekl-uninstall script
- Checaext – Check the Windows registry for the existence of malicious browser extensions and send OKEXT or NOEXT if the extension is not found
- start_screen – Extensions Change the installforcelist policy to install the extension in your browser. This specifies a list of apps and extensions that can be installed without user interaction.
The detected extensions (identifiers nplfchpahihhiheejpjmodggckakhglee, ckkjdiimhlanonhceggkfjlmjnenpmfm, and lkpiodmpjdhhhkdhbnncigggdgdfli) have already been removed from the chrome webstore.
Other attack chains exchange initial batch scripts for the Windows installer and Inno setup installer files that are used to provide extensions. The Per Posional Technologies add-on is equipped to run malicious JavaScript code if the Active Browser tab corresponds to a web page associated with Banco do Brasil.
Specifically, it sends a user’s authentication token and a request to the attacker’s server, receives the command and either loads it to the victim (warten or schlieben_warten) and displays the load screen, or provides a malicious QR code on the bank’s web page (code_zum_lesen). The presence of German words for the command could either imply the location of the attacker or suggest that the source code has been reused from somewhere.
In what appears to be an effort to maximize the number of potential victims, it was found that unknown operators would leverage invoice-related lures to distribute installer files and deploy remote access software such as the MeshCentral agent and the PDQ Connect agent in place of malicious browser extensions.
Positive Technology said it has identified an open directory that belongs to the attacker’s auxiliary script.
“This study highlights the use of fairly unique techniques in Latin America, such as malicious browser extensions and distribution via the Windows installer and the Inno setup installer,” says Galkin.
“The files in the attacker’s open directory show that the infected company is necessary to carefully distribute emails. However, the main focus of the attack remained on regular Brazilian users. The attacker’s goal is to steal authentication data from the victim’s bank account.”
