Hidden Infrastructure Exposed: ANY.RUN Reveals Hijacked Gov Websites Delivering Malware
An original threat intelligence investigation uncovering how trusted government infrastructure became an attack channel, placing banking organizations and public-sector systems at risk while revealing previously undocumented infrastructure relationships and actionable mitigation guidance for security leaders.
ANY.RUN analysts have uncovered an active PhantomEnigma campaign abusing compromised government infrastructure and fake police-themed documents to target banking and public-sector organizations in Brazil. Trusted emails and legitimate .gov.br links are helping the operation stay hidden.
By linking hundreds of seemingly unrelated sandbox analyses, the team exposed a coordinated operation that can delay containment, increase investigation costs, and raise the risk of fraud, data exposure, and operational disruption.
Key Takeaways
- PhantomEnigma uses compromised Brazilian government systems for delivery: At least 20 .gov.br municipal and police portals were used to distribute malware, while compromised mailboxes allowed phishing emails to pass SPF, DKIM, and DMARC checks. These government systems are part of the delivery chain, not confirmed campaign targets.
- ANY.RUN analysts uncovered a previously undocumented backdoor generation: A fresh sandbox detonation on July 12, 2026, confirmed the behavior in a live environment, showing that PhantomEnigma operates at least two beacon generations.
- The Ofício-PC quishing activity is linked to the same operator:The fake Polícia Civil QR-code PDF and ClickFix campaign included 99 sandbox analyses. At least four compromised government hosts delivered both Ofício-PC content and PhantomEnigma installers, supporting the assessment that it is another arm of the same operation.
- ANY.RUN exposed hidden infrastructure links, while the campaign’s code proved to be its most durable fingerprint: A recurring Delphi/Inno Setup and Node.js/Electron build chain identified 231 sandbox analyses even as domains, IP addresses, and delivery hosts changed.
PhantomEnigma Threat Profile
The profile below summarizes PhantomEnigma’s targeting, capabilities, scale, and potential business impact. It also shows why the operation is difficult to detect: it combines modular malware, frequently rotated infrastructure, and compromised government systems that make malicious activity appear legitimate.
| Parameter | Value |
|---|---|
| Threat type | Modular Node.js backdoor delivered by a Delphi/Inno Setup installer; multi-arm crimeware operation |
| Family / cluster | PhantomEnigma, also known as Operation Phantom Enigma |
| Actor / targeting | Brazil-focused activity targeting banking organizations, including Banco do Brasil, with compromised .gov.br infrastructure later used for delivery |
| Severity | High: active malware delivery, banking credential theft, and compromised government infrastructure |
| Business risk | Financial loss, sensitive data exposure, operational disruption, regulatory and reputational damage, and higher investigation and recovery costs |
| Sophistication | Capable: patched Electron decoy, self-deobfuscating index.js, modular eval/exec backdoor, and compromised infrastructure that allows SPF, DKIM, and DMARC checks to pass |
| Prevalence | 231 sandbox analyses from January to July 2026. Activity remainsongoing, with peaks in March (58) and May (66), and 27 analyses in July |
| First / last seen in the ANY.RUNdataset | January 15, 2026–July 10, 2026 |
| Overall confidence | High confidence that the campaign is real, documented, and focused on Brazil; medium-high confidence that the specific Inno/Node.js arm belongs to PhantomEnigma |
| Attribution basis | Build-chain analysis and vendor corroboration, including PT-ESC research, abuse.ch ThreatFox, and exact seed IOCs |
| Snapshot | Core data updated July 11, 2026; deep analysis and live re-detonation completed July 12; Ofício delivery-arm analysis updated July 13 |
One Campaign, Multiple Attack Arms
The activity first appeared to be two separate waves: Ofício-PC PDF attacks from January to April, followed by a Node.js/Inno campaign from May. However, the data shows both were active in parallel.
The PDF arm peaked in February, while the Node.js/Inno backdoor remained active from January through July, with peaks in March and May. This suggests PhantomEnigma is one coordinated operation using several attack arms, shared compromised government infrastructure, and rotating C2 systems.
How PhantomEnigma Became Harder to Detect: Timeline and Evolution
The timeline shows PhantomEnigma as one continuous operation. Gen A covers the extension-banker activity documented in public research in 2025. Gen B covers the 2026 activity observed directly in ANY.RUN, including the PDF delivery arm and the Node.js/Inno backdoor cluster. Although these were initially treated as separate phases, the data shows that they operated in parallel during the first half of 2026.

The campaign evolved along two main paths:
Target: In 2025, the activity focused on banking targets, including Banco do Brasil. By 2026, the operator was using compromised Brazilian public-sector email and hosting infrastructure. This reflects a change in delivery rather than a confirmed new victim group. Legitimate .gov.br systems gave the attackers a more trusted route to victims and helped malicious emails pass standard authentication checks.
Arsenal: The malware evolved from a browser-extension banker into a modular Inno/Node.js backdoor built around a patched Boostnote application. The download script became simpler, the decoy looked more legitimate, and the backdoor gained the ability to execute JavaScript or deliver additional files. Multiple beacon generations also remained active at the same time, using both GET and POST requests.
For security teams, these changes increase the risk of delayed detection and incomplete containment. Trusted infrastructure can reduce suspicion, modular payloads can change after the initial infection, and weekly C2 rotation can quickly make static blocklists outdated. Behavior-based detection, sandbox analysis, and continuous threat hunting are therefore more reliable than individual domains, hashes, or automated verdicts alone.
PhantomEnigma Targeting: What the Data Really Shows
Submitter data can indicate where activity is being observed, but it does not confirm individual victims. The figures may be affected by MSSP resubmissions, automated feeds, and the ANY.RUN user base.
Key findings include:
- Brazil is the strongest targeting signal: It represents 60.3% of the .gov.br delivery cluster and 46% of the operator C2 cohort.
- Banking and MSSPs show the highest exposure: This aligns with public research documenting attacks against Banco do Brasil.
- The apparent US concentration is misleading: Of the 77 US submissions, 66 came from one US telecommunications source and should not be treated as separate victims.
- Adjacent clusters show different targeting patterns: The Eoto ClickFix and GitHub-to-StealC activity is not concentrated in Brazil, supporting its classification as separate operations.
How PhantomEnigma Turns Detection Gaps into Business Risk
PhantomEnigma’s use of trusted government infrastructure, clean-looking samples, and rotating C2 domains can delay investigation and give the operation more time to spread inside an organization.
The main business risks include:
- Financial loss: Compromised banking, email, or system credentials can enable fraud and unauthorized transactions.
- Delayed containment: Clean verdicts and fragmented alerts can hide the fact that several incidents belong to one coordinated operation.
- Sensitive data exposure: The modular backdoor can collect system information, execute commands, and deliver additional payloads.
- Operational disruption: A successful compromise can affect employee access, critical systems, and daily business operations.
- Higher response costs: Repeated analysis, longer investigations, and late containment increase SOC workload and recovery expenses.
- Regulatory and reputational damage: Delayed detection and data exposure can affect compliance obligations, customer trust, and partner confidence.
For security leaders, the priority is to shorten the time between the first suspicious signal and confirmed compromise. This requires connecting behavior across files, infrastructure, and sandbox analyses instead of relying only on individual hashes, domains, or automated verdicts.
Execution Chain: How the PhantomEnigma Attack Unfolds
After analyzing the phishing email inside ANY.RUN’s Interactive Sandbox, we revealed the following attack chain:
Initial delivery
The victim receives a spoofed Polícia Civil or “Procuração Digital” notary email and follows a link to a compromised government host or a police-themed typosquat .com domain.

Installer execution
The host serves a Delphi-compiled Inno Setup installer, such as Procuracao_Digital.exe. Once executed, it silently unpacks a patched Electron/Boostnote or another JavaScript-based application.
Backdoor activation
In the observed Boostnote version, the legitimate BoostIO note-taking application contains a malicious index.js file. The Electron host loads this script, which self-deobfuscates, sends victim system information to the C2 server, performs reconnaissance through child_process, creates persistence through a Run key, and enters its taskExecute loop.
Second-stage delivery
The server can return JavaScript for in-process execution through eval() or send an executable to be dropped and launched as a child process. This modular second stage is where the final payload, such as a stealer, loader, or remote management tool, is delivered.
Indicators That Survive Lure Changes
Several artifacts remain visible even as file names and lures change:
- The dropped Electron host appears as App.exe under is-*.tmp<Name>Application, including names such as DistroniceApplication and SmartSuiteifyUltraWare.
- The decoy binary is a patched Boost Note.exe, later renamed Grape.exe to avoid the known decoy string. Installation directories use random word combinations such as UltraSuiteSmartCoreware and ProSoftxUltraToolator.
Inside the Backdoor: Static Deobfuscation and Live Re-Detonation
This investigation revealed backdoor behavior that we found was not documented in previous public research. To validate it, ANY.RUN analysts completed two controlled steps: extracting and deobfuscatingthe dropped index.js file, then re-detonating the original installer to confirm the behavior in a live sandbox environment.
First, analysts recovered the real resourcesappindex.js file, measuring 239,459 bytes, from the anchor session’s full JSON report. The file was extracted with 7-Zip and deobfuscated in Python without being executed through Node.js or eval().
The analysis reversed two layers of obfuscation. The Boostnote wrapper used an obfuscator.io string array with a custom lowercase-first Base64 alphabet, while the malicious strings were stored as character-code arrays and decoded through String.fromCharCode(…).
This build also differed from the generation described in earlier public research. It did not contain the 1874371588 XOR scheme or the laravel string, indicating a simpler but distinct version of the backdoor.
The deobfuscated logic showed that the malware:
- Sends system information to the /nbw/ endpoint
- Creates a persistent eight-character machine ID in %APPDATA%
- Reads an affiliate or campaign tag stored beside the installer
- Checks for new commands every 180 seconds
- Executes JavaScript directly through eval()
- Drops and runs executable files
- Establishes persistence through setLoginItemSettings
The deobfuscated backdoor, shown in simplified pseudocode:

A New Beacon Generation
The recovered sample sends a POST request to /nbw/ with a JSON body containing the machine ID, computer name, username, and campaign tag.
This differs from the previously documented GET request:
/laravel.php?api=api&hash=<b64>&message=PT1n<b64>
The evidence therefore indicates that PhantomEnigma operates at least two beacon generations. Despite the different communication formats, both share the same Delphi/Inno and patched Boostnote build chain, modular JavaScript or executable payload delivery, and login persistence.


A fresh detonation on July 12, 2026, confirmed the behavior in a live environment. The sample resolved and sent a POST request to: hxxps://zsxocjarsate[.]com/nbw/
This confirmed that the deobfuscated /nbw/ path was actively used and identified zsxocjarsate[.]com as a live C2 domain. The analysis also recovered the dropped index.js hash: 71f6997866…2ab71c
The static code analysis and ANY.RUN’s live sandbox behavior produced matching results.
Why Build-Chain Evidence Outlasts Rotating Infrastructure
Known C2 domains help connect related activity, but they are not reliable enough to serve as the main detection key. The largest seed domain, policiacivilmg[.]com, appears in only 34 of the 231 core sandboxanalysis sessions, or 15% of the cluster. The previously cited figure of 55 refers to index-wide DNS activity, not sessions within the core cluster.
The full ten-domain seed set covers only 77 of the 231 sessions, or 33%. Two-thirds of the cluster never contacted any known C2 domain. Instead, those sessions used compromised .gov.br hosts or infrastructure that had already rotated out of view.
To find a more stable signal, ANY.RUN analysts used Threat Intelligence Lookup together with YARA and static detection tags to search across the samples’ build characteristics.
Individually, the tags are common across the dataset:
- nodejs: 2,496 sandbox sessions
- inno: 10,719 sandbox sessions
- delphi: 17,233 sandbox sessions
- installer: 11,567 sandbox sessions
Combined, however, the four tags identify exactly 231 sessions. The combination of the nodejs and inno tags also identifies all 231 sandbox analyses, providing full coverage of the cluster.
The combination reflects the recurring build chain: a Delphi-compiled Inno Setup installer carrying an embedded Node.js or Electron application. The Combined, however, the four tags identify exactly 231 sessions. The nodejs and inno combination alone also returns all 231, providing full recall across the cluster.
The three tags come from ANY.RUN YARA and static detections applied to the sample bytes, including:
- Compiled with Borland Delphi
- Detects InnoSetup installer
- Node.js compiler detected
This means analysts can identify the malware by its build characteristics even as the operator changes C2 domains, IP addresses, and compromised delivery hosts.
Use the following TI Lookup query to find related activity involving compromised Brazilian government infrastructure:
TI Lookup query: domainName:”.gov.br” AND threatName:”nodejs” AND threatName:”inno*”

The initial ANY.RUN’s Threat Intelligence Lookup query provided a broader starting point for identifying related sandbox sessions. Analysts could then combine the build-chain tags with stronger campaign indicators, such as known C2 infrastructure, compromised .gov.br hosts, beacon IP addresses, and the /laravel.php or /nbw/ communication patterns.
Attribution with Broader Detection Coverage
ANY.RUN analysts identified 231 sandbox analyses that share the same distinctive build chain. This wider cluster gives defenders a strong basis for threat hunting, even when domains, IP addresses, and delivery infrastructure change.
Within that cluster, approximately 108–125 analyses also contain stronger PhantomEnigma indicators, including known C2 infrastructure, compromised .gov.br hosts, beacon IPs, and the /laravel.php or /nbw/ communication patterns.
This gives defenders two useful levels of visibility: a wider cluster for threat hunting and a more tightly attributed core for higher-confidence investigation and response. It also allows the campaign to be tracked broadly without overstating which samples can be linked directly to PhantomEnigma.
How PhantomEnigma Rotates Its Infrastructure
PhantomEnigma uses several separate infrastructure layers for delivery, command-and-control communication, and data exfiltration. This structure helps the operation rotate domains and compromised hosts without changing its underlying malware.
The main infrastructure includes:
- Delivery domains: Cloudflare-fronted .com domains, including randomly generated names and Polícia Civil lookalikes such as policiacivilmg[.]com, pccvill[.]com, and zsxocjarsate[.]com.
- Origin infrastructure: DNS records linked some delivery domains to likely origin servers behind the Cloudflare proxy.
- Beacon infrastructure: Separate IP addresses hosted the /laravel.php system-information endpoint and other backdoor communications.
- Compromised delivery hosts: At least 20 legitimate Brazilian government portals were used to distribute malicious files or redirect victims. These include marapoama.sp.gov[.]br, poa.sp.gov[.]br, and areal.rj.gov[.]br, as well as newly observed hosts including timon.ma.gov[.]br, loginam.sesp.es.gov[.]br (state public security), aplicacao.cbm.mt.gov[.]br (fire department), prodoc.ap.gov[.]br, and others.
The compromised government systems appear to be independently affected legitimate websites rather than infrastructure owned by the operator. Their use gives the campaign a trusted delivery channel while making malicious activity harder to separate from normal traffic.
The infrastructure also rotates regularly. In several observed cases, the compromised delivery host and associated C2 domain changed together over a period of weeks.
For defenders, this means blocking a single domain or IP address may provide only temporary protection. Monitoring recurring build characteristics, backdoor communication patterns, and newly compromised delivery infrastructure provides more durable coverage as the campaign evolves.
Observed PhantomEnigma C2 Infrastructure
The table below shows representative domains linked to the campaign and illustrates how PhantomEnigma combines police-themed lookalikes with randomly generated domain names.
| Domain | Role or naming pattern | Observed status |
|---|---|---|
| policiacivilmg[.]com | Polícia Civil MG lookalike | No longer active at the time of review |
| pccvill[.]com | Police-themed lookalike | No longer active at the time of review |
| pccvioo[.]com | Police-themed lookalike | No longer active at the time of review |
| dahieenloo[.]com | Randomly generated domain | Recently observed |
| psznaoehteeh[.]com | Randomly generated domain | Active in recent activity |
| taaeiuep[.]com | Domain linked to Inno Setup and Procuração Digital activity | No longer active at the time of review |
| eeresofeuae[.]com | Randomly generated domain | Recently observed |
| zsxocjarsate[.]com | Live /nbw/ backdoor endpoint confirmed during re-detonation | Confirmed active on July 12, 2026 |
The changing domain set reinforces why defenders should not rely on a single IOC or static blocklist. Detection should also cover the recurring build chain and backdoor communication patterns.
The Ofício-PC Phishing and Delivery Operation

During the investigation, ANY.RUN analysts examined what initially appeared to be a separate Brazil-focused phishing operation. The campaign used fake “Ofício” and “Intimação Polícia Civil” PDF documents designed to look like official law-enforcement communications.
The files followed a consistent naming pattern, including examples such as DOC_<CNPJ>.pdf, and some contained the EXIF title “Ofício Polícia Civil.” Victims were encouraged to scan a QR code embedded in the document, which redirected them through a bare-IP PHP cloaking service.
The cloaker classified visitors as either “Real” or “Fake” and redirected selected users to a fraudulent “Verificação de Acesso” page. This page used a ClickFix-style prompt that instructed the victim to run a PowerShell command. The command downloaded oficioprotocolo.tng and executed it through iex, allowing the attack to continue beyond the initial PDF lure.
ANY.RUN analysts identified 99 sandbox analyses associated with this delivery arm, with a more tightly defined core of 95.

The activity was observed between January and April 2026 and peaked in February, when 75 related analyses were recorded. No new activity appeared in the dataset after April 23, 2026. However, the backend IP 195.177.94[.]103remained active as of July 10, 2026, suggesting that parts of the infrastructure were still operational even after the observed delivery activity declined.
From ClickFix to Cobalt Strike
The final activity visible inside the sandbox led to the Zabbxsoftware “Zab agent” kit. This infrastructure used operator-created paths such as:
- /zab/agent/send
- /api/request/<uuid>/status
The kit first communicated with logs.zabbxsoftware[.]com and later rotated to oauth.openvpnet[.]com. The delivery chain ultimately led to a Shellter-packed Cobalt Strike payload.
A loader named oficio<digits>PCAP.exe, with SHA-256 beginning 7de52b73…, appeared in eight sandbox analyses and received a clean verdict. External malware repositories and vendors also identified the file as associated with Cobalt Strike and Shellter.
Why We Link This Activity to PhantomEnigma
The strongest connection is the use of the same compromised government infrastructure.
At least four legitimate .gov.br and .jus.br hosts were used by both the Ofício-PC phishing arm and the PhantomEnigma Inno/Node.js installer activity.
| Compromised government host | PhantomEnigma installer analyses | Ofício-PC sandboxanalyses |
|---|---|---|
| timon.ma.gov[.]br | 11 | 3 |
| protocolo.sorocaba.sp.gov[.]br | 2 | 14 |
| prodoc.ap.gov[.]br | 1 | 17 |
| portaldrh.tjba.jus[.]br | 1 | 17 |
The two arms also use the same Polícia Civil theme and rely on compromised public-sector infrastructure to make their delivery activity appear more trustworthy.
The Ofício-PC analyses generally stop at the PowerShell download stage, before the Node.js/Inno installer becomes visible. For that reason, the absence of Node.js and Inno Setup tags in these analyses does not indicate a separate operator. It reflects the stage at which the observed execution ended.
A build-chain comparison alone is therefore not enough to separate the two arms. PhantomEnigma appears to use different delivery chains for different parts of the operation, while reusing infrastructure, themes, and supporting components.
Based on the shared government hosts, matching Polícia Civil lures, and sandbox-visible delivery behavior, ANY.RUN assesses the link to the same operator with medium-high confidence. Additional email evidence and the installer-to-BAT second-stage connection further strengthen this assessment.
For security teams, recognizing these links matters. Treating the Ofício-PC activity and the Inno/Node.js backdoor as unrelated campaigns could hide the true scope of the operation, fragment investigations, delay containment, and increase response and recovery costs.


Defining the PhantomEnigma Cluster Boundaries
During the investigation, analysts identified several adjacent malware clusters that initially appeared connected to PhantomEnigma. These included malicious GitHub releases, a help.bat loader, and StealCactivity linked through shared scripts and public metadata.
Further analysis showed that these clusters should not be included in the confirmed PhantomEnigma activity based on the available evidence.

The help.bat / kak[.]is loader uses a logic-identical template across 56 sandbox analyses. Its execution chain includes get_it.php, Base64-encoded data.json, a password-protected archive, file staging in PUBLICDocuments, a timed delay, and MSI execution.
However, this loader did not overlap with the core PhantomEnigma build-chain and backdoor signals. Instead, it delivered commodity malware such as HijackLoader, Emmenhtal, ClickFix, and other MSI-based payloads. No PhantomEnigma Node.js backdoor was observed in this cluster.
The GitHub-to-StealC activity also showed important differences. It lacked the same installer and backdoor characteristics, used separate infrastructure and registration patterns, and had a different submission profile. The proposed connection relies partly on GitHub commit metadata that is not visible in the sandbox and is not enough on its own to confirm a shared operator.
The evidence therefore supports treating these clusters as adjacent activity that may reuse common tools or distribution methods, rather than confirmed PhantomEnigma operations. Keeping them separate helps maintain accurate attribution and prevents unrelated malware from being grouped into the campaign without sufficient evidence.

Attribution Assessment
The evidence supports the existence of a coordinated campaign focused primarily on Brazil. The earliest related activity in the dataset dates to January 13, 2026.
One of the strongest delivery findings involved an email sent from a Brazilian police department. The message passed SPF, DKIM, and DMARC checks, indicating that it was likely sent through a genuinely compromised mailbox rather than from a simply spoofed address. The recovered email and the accompanying “Ofício Polícia Civil” PDF further confirm the use of official-looking police communications as a phishing lure.

The assessment is supported by several independent technical signals, including:
- A recurring Delphi/Inno Setup and Node.js build chain
- Patched Boostnote applications containing the malicious index.js backdoor
- The <name> communication pattern, which sends victim system information, including the computer name and username
- Known campaign domains and seed indicators
- Compromised Brazilian government infrastructure used across related activity
- The classification of taaeiuep[.]com as associated with Inno Setup, Procuração Digital, and Brazil-focused malicious activity
Based on this evidence, ANY.RUN assesses with high confidence that the observed campaign is real and primarily focused on Brazil.
The connection between the specific Inno/Node.js backdoor arm and PhantomEnigma is assessed with medium-high confidence. The build chain, infrastructure, targeting, and backdoor behavior provide strong supporting evidence, but limited public research currently connects the PhantomEnigma name directly to this Boostnote-based backdoor.
ANY.RUN analysts identified 231 sandbox analyses sharing the broader build pattern. Within this group, approximately 108–125 analyses also contained stronger PhantomEnigma indicators. This more tightly attributed core forms the basis of the campaign assessment, while the wider cluster provides additional coverage for threat hunting.
The Ofício-PC activity is also linked to the wider operation with medium-high confidence based on shared compromised government hosts, matching Polícia Civil lures, and supporting delivery evidence. Adjacent help.bat and StealC clusters were kept separate because the available evidence did not support a confident operator-level connection.
This approach allows defenders to track related activity broadly while maintaining clear boundaries around what can be directly attributed to PhantomEnigma.
Detection and Monitoring Recommendations
Security teams can use the following methods to detect current PhantomEnigma activity and track new infrastructure as the campaign evolves.
1. Analyze suspicious files and links in an interactive sandbox
Do not stop at an initial clean verdict. Inspect dropped files, process activity, persistence mechanisms, network requests, and second-stage payloads.

Re-detonating a sample can also reveal behavior that did not appear during the first analysis, particularly when infrastructure was temporarily unavailable or the malware delayed execution.
2. Hunt for the malicious index.js backdoor with YARA
Focus on the recovered backdoor code rather than relying only on domains, file names, or hashes that may change.
The strongest YARA rule combines several recurring characteristics:
- The JSON.stringify() beacon structure
- COMPUTERNAME and USERNAME collection
- The String.fromCharCode decoding method
- Persistence through setLoginItemSettings
A byte-level rule identified one additional related sandbox analysis outside the original dataset. A broader rule combining Boostnote and the malicious index.js pattern identified six analyses involving .gov.br infrastructure, with no unrelated matches in the reviewed dataset.
These rules should initially be used for investigation and threat hunting until they are tested against a wider sample set.
3. Detect beacon traffic with Suricata
Create monitoring alerts for the following patterns in plaintext or decrypted HTTP traffic:
- /laravel.php?api=api&hash=
- &message=PT1n
The /laravel.php pattern appeared in 16 sandbox analyses and produced no unrelated matches in the reviewed dataset.
These signatures should first be deployed in monitoring mode so teams can validate them against normal network traffic before using them for automated blocking.
4. Correlate build-chain and network behavior
Escalate activity when the recurring PhantomEnigma build chain appears together with one or more network indicators, such as:
- A /laravel.php beacon
- A known RAILNET IP address
- A system hostname transmitted in a POST request
This correlation identified 59 sandbox analyses and revealed malicious network behavior in nine analyses that had initially received clean verdicts.
5. Monitor for new compromised government infrastructure
Use the following TI Lookup query to identify activity involving newly compromised Brazilian government hosts:
domainName:”.gov.br” AND threatName:”nodejs” AND threatName:”inno*”

Running this search regularly can help teams detect new delivery infrastructure as the operator moves between compromised hosts.
6. Add validated indicators to security controls
Send confirmed C2 domains, IP addresses, URLs, and file hashes to SIEM, SOAR, EDR, and network security tools through Threat Intelligence Feeds.

Compromised .gov.br and .jus.br hosts should be handled separately from attacker-controlled infrastructure. These are legitimate services that have been compromised, so blocking them broadly could disrupt access to government resources.
Combining sandbox evidence, YARA hunting, network detection, TI Lookup, and threat intelligence feeds can help security teams uncover related activity earlier, investigate clean verdicts more effectively, and reduce delays in containment.
Strategic Recommendations for Security Leaders
PhantomEnigma demonstrates how modern campaigns can evade traditional security processes by combining trusted infrastructure, modular malware, and rapidly changing delivery paths. Reducing business risk requires more than adding new IOCs—it requires improving how investigations are prioritized and connected.
Review how “clean” verdicts are escalated.
Nearly one-third of the analyzed activity initially received a clean verdict. Establish clear escalation criteria for suspicious files delivered through trusted infrastructure, even when automated detections do not classify them as malicious.
Prioritize behavioral evidence over infrastructure alone.
Domains, IP addresses, and URLs can change within days. Detection strategies should also include recurring malware behavior, execution chains, persistence mechanisms, and network patterns that remainstable across campaign updates.
Treat trusted infrastructure as a potential attack vector.
Compromised government portals and legitimate email accounts can bypass traditional trust-based controls. Ensure security teams validate the behavior behind trusted senders and domains instead of relying solely on reputation.
Correlate investigations across security solutions.
Email alerts, endpoint activity, sandbox analysis, and threat intelligence should contribute to a single investigation. Fragmented workflows make coordinated campaigns appear as isolated incidents, delaying containment and increasing response costs.
Continuously monitor campaign evolution.
As attackers rotate infrastructure and update malware, detection logic should evolve as well. Regularly review new infrastructure, delivery techniques, and malware variants to prevent existing detections from becoming outdated.
Organizations that combine behavioral sandbox analysis with continuously updated threat intelligence can identify coordinated campaigns earlier, reduce investigation time, and limit the operational and financial impact of evolving threats.
What to Expect Next
Weekly C2 rotation is likely to continue. New random .com domains may replace psznaoehteeh[.]com, while more police-themed typosquats may appear. One candidate, oficiospolicia[.]com, is already surfacing.
The compromised .gov.br delivery network may also continue to grow. At least seven additional hosts have already been observed beyond the original 14, showing that the operator still relies on compromised government infrastructure to make malicious activity appear more trustworthy.
Detection may improve, but the visibility gap is unlikely to disappear. Plaintext HTTP beacons are relatively easy to identify, but the operator can move behind HTTPS and Cloudflare, as already seen with /nbw/. When this happens, domains and network paths become less useful, while build-chain analysis and YARA-based detection remain effective.
There is also a possibility that the GitHub-to-StealC and ClickFix activity belongs to the same operator. If future evidence confirms this link, PhantomEnigma’s capabilities would be broader than currently assessed.
Security teams should therefore avoid relying on domain blocklists alone. Continuous sandbox analysis, TI Lookup monitoring, YARA hunting, and fresh threat intelligence feeds can help detect new infrastructure, review clean verdicts, and keep protection current as the campaign changes.
Conclusion
PhantomEnigma remains difficult to track because its infrastructure changes faster than its code. Domains rotate weekly, compromised government portals change over time, and some malicious samples still receive clean verdicts. The most reliable signal is the recurring build chain: a Delphi-compiled Inno Setup installer that deploys a patched Electron application containing an obfuscated index.js backdoor.
Using ANY.RUN’s Interactive Sandbox and Threat Intelligence, our analysts connected activity spread across clean verdicts, rotating infrastructure, and several delivery arms. Sandbox analysis exposed the execution chain, dropped files, persistence, and live network behavior, while TI Lookup and YARA helped identify related activity beyond known domains and file hashes.
The investigation also showed why careful attribution matters. Shared tools, hosting providers, or naming patterns are not enough to prove that separate clusters belong to the same operator. By combining code-level evidence, infrastructure analysis, vendor corroboration, and live re-detonation, ANY.RUN analysts documented a second PhantomEnigma beacon generation not covered in previous public research.
Security teams can apply these findings to hunt for the stable build chain, investigate clean analyses with matching network behavior, monitor compromised government infrastructure, and add validated C2 indicators to their security controls. ANY.RUN provides the sandbox visibility and threat intelligence needed to detect related activity earlier, shorten investigations, and contain compromise before it creates wider business impact.
About ANY.RUN
ANY.RUN is a leading provider of interactive malware analysis and threat intelligence solutions trusted by more than 15,000 organizations worldwide, including 74 of the Fortune 100. Its Interactive Sandboxand Threat Intelligence solutions help SOC teams analyze suspicious files and URLs, uncover malicious behavior, enrich alerts with actionable context, and connect related activity across files, infrastructure, and campaigns. This enables faster investigations, more confident response decisions, and earlier containment of threats before they create wider business impact.
MITRE ATT&CK
| Tactic | Technique (ID) | Evidence |
|---|---|---|
| Resource Development | Compromise Infrastructure (T1584) | >=20 compromised.gov[.]br portals + mail servers (SPF/DKIM/DMARC pass) |
| Initial Access | Spearphishing Link (T1566.002) | compromised Polícia Civil / “ProcuraçãoDigital” leading to a download link |
| Execution | User Execution: Malicious File (T1204.002) | victim runs the Inno-Setup installer |
| Execution | JavaScript (T1059.007) | index.js eval() /taskExecute in the Electron runtime |
| Execution | PowerShell (T1059.001) | stdin-fed powershell -ExecutionPolicyUnrestricted |
| Defense Evasion | Obfuscated Files (T1027) | charCodeAt self-deobfuscatingindex.js; Inno packing |
| Defense Evasion | Masquerading (T1036) | patched Boost Note.exerenamedGrape.exe; word-salad install dirs |
| Defense Evasion | Sandbox Evasion (T1497) | sc query “Warsaw Technology”, WMI VM checks (part of the clean bucket) |
| Persistence | Registry Run Keys (T1547.001) | index.js sets HKCU …Run +setLoginItemSettings |
| Persistence | Scheduled Task (T1053.005) | KalebAutoRun (sibling getloader arm) |
| Discovery | System / Domain Info (T1082 / T1016) | echo %COMPUTERNAME%.%USERDNSDOMAIN%recon |
| Command & Control | Web Protocols (T1071.001) | hxxp /laravel.php +/nbw/ base64/JSON sysinfo beacon |
| Command & Control | Proxy (T1090) | Cloudflare fronting of delivery C2 |
| Exfiltration | Exfil Over C2 (T1041) | COMPUTERNAME+USERNAME+mutex in the beacon body |
IOCs & Artifacts
Compromised gov domains:
- areal.rj.gov[.]br
- camaradelassance.mg.gov[.]br
- camaraparaguacu.sp.gov[.]br
- circ.rs.gov[.]br
- condemat.sp.gov[.]br
- ferrazdevasconcelos.sp.gov[.]br
- floresdegoias.go.gov[.]br
- funrespol.pc.ro.gov[.]br
- lontra.mg.gov[.]br
- marapoama.sp.gov[.]br
- pinhalgrande.rs.gov[.]br
- poa.sp.gov[.]br
- protocolo.sorocaba.sp.gov[.]br
- seplag.mt.gov[.]br
- policiacivil.pe.gov[.]br
Compromised gov URLs:
- hxxps://arcese.urlsand.com/?u=hxxps%3A%2F%2Fcamaraparaguacu.sp.gov[.]br%2Foficio%2Fx2eDBGceCF&e=dd4b7717&h=be3cf1fa&f=y&p=y&m=4gql0c4CXBz334D
- hxxps://camaradelassance.mg.gov[.]br
- hxxps://camaraparaguacu.sp.gov[.]br/doc
- hxxps://camaraparaguacu.sp.gov[.]br/doc/DcUXKm/S7q88t
- hxxps://camaraparaguacu.sp.gov[.]br/doc/DzAe8Sxvca
- hxxps://camaraparaguacu.sp.gov[.]br/doc/i00hqHrGFr
- hxxps://camaraparaguacu.sp.gov[.]br/doc/js[.]brnUl8Z
- hxxps://camaraparaguacu.sp.gov[.]br/doc/naNXNW0tQ7
- hxxps://camaraparaguacu.sp.gov[.]br/doc/R0RU5TEpc2
- hxxps://camaraparaguacu.sp.gov[.]br/doc/wsVPWyP0iL
- hxxps://camaraparaguacu.sp.gov[.]br/oficio/mGeI1KrXIT
- hxxps://cas5-0-urlprotect.trendmicro.com/wis/clicktime/v1/query?url=hxxps%3a%2f%2fpoa.sp.gov[.]br%2fdown.php&umid=a1a41f4a-228b-4622-9a1f-5fd4cbc68d26&rct=1779114363&auth=18576cf8abd7812271cef15c8c401c7207caa231-a9e499076e60cd525b23d7c667f1929bc0a9b294
- hxxps://circ.rs.gov[.]br/OficioDigital.exe
- hxxps://condemat.sp.gov[.]br/certificate/APL3SJ9e/723406349/
- hxxps://ferrazdevasconcelos.sp.gov[.]br/down.php
- hxxps://floresdegoias.go.gov[.]br/levantamento/v6aq7x/prm9yG
- hxxps://lontra.mg.gov[.]br/arquivo.php
- hxxps://marapoama.sp.gov[.]br/doc/4h7Bae/Mn9K3N
- hxxps://marapoama.sp.gov[.]br/documento/L5fHnY/d13mLf
- hxxps://marapoama.sp.gov[.]br/levantamento/M5nkwP/dM0CgC
- hxxps://marapoama.sp.gov[.]br/oficio/LA9ks3d/ldo9JodAS/vYnerL/fkeA5r
- hxxps://poa.sp.gov[.]br/doc/k9l00oFolA/4mZKTCE4ex
- hxxps://poa.sp.gov[.]br/doc/KhDvexT9QX/t4iVaErskj
- hxxps://poa.sp.gov[.]br/doc/wBvCEwP3tO/oSKmMKG1sw
- hxxps://poa.sp.gov[.]br/documento/3QFKMM71/527058494/
- hxxps://poa.sp.gov[.]br/download/7552PRc3/544840142/
- hxxps://poa.sp.gov[.]br/oficio/anexo/VQC7WEcf
- hxxps://protocolo.sorocaba.sp.gov[.]br/protocolo/kitsigns.jsp?yd=DtmcOmPD4GdPF9H06LU6tVN8lm2467QxWGDEOmFL0qWjScIylunV8re%2B0cZMiJ6O
- hxxps://protocolo.sorocaba.sp.gov[.]br/protocolo/signkit.jsp?yd=5F8bz2Lapfi%2Bf41ZRmsNAtfvOls6zkkpOSPYO4UqALf0x8Hv%2BZcPRgcBznBl0tH
- hxxps://url.de.m.mimecastprotect.com/s/cFJoCr2PqncDzNRl7U7fmf4fQ3q?domain=camaraparaguacu.sp.gov[.]br
- hxxps://www.funrespol.pc.ro.gov[.]br/procedimento/aQbax7Lq4R
- hxxps://www.pinhalgrande.rs.gov[.]br/down.php
Malicious domains:
- 188.137.246[.]189 91.92.241[.]181
- dahieenloo[.]com
- eeresofeuae[.]com l
- ogs.zabbxsoftware[.]com
- oauth.openvpnet[.]com
- oficiospolicia[.]com
- pccvill[.]com
- pccvioo[.]com
- psznaoehteeh[.]com
- zsxocjarsate[.]com
Load-bearing indicators (defanged; raw in Appendix B):
- Fingerprint (spine): tags delphi ∧ inno ∧ installer ∧ nodejs (231 tasks, rotation-invariant; cluster/retro-tag only, not paint).
- Backdoor protocol (>=2 generations): */laravel.php?api=api&hash=*&message=PT1n* (GET, base64 in URL) and POST */nbw/ (JSON [id, COMPUTERNAME, USERNAME, tag];
- Beacon C2 (takedown): 185.219.83[.]191, 188.137.246[.]189 (AS214943 RAILNET).
- Delivery C2 (paint): policiacivilmg[.]com, dahieenloo[.]com, pccvill[.]com, pccvioo[.]com, taaeiuep[.]com, psznaoehteeh[.]com, eeresofeuae[.]com, zsxocjarsate[.]com.
- Origin: 158.94.208[.]120 / 91.92.241[.]181 (AS202412 OMEGATECH-AS, Seychelles).
- Anchor hash: Procuracao_Digital.exe sha256 e0dae1a04b7a3b2ae07377b0fd00681e9633532788870b3709a9e149f3ccf0e0.
- Dropped backdoor hash: index.js sha256 71f6997866…2ab71c (recovered via Gate A/B; the malicious-file hash the mirror lacked).
- Sibling arm (paint): novoservidor2026[.]com + KalebAutoRun (21/21 malicious, disjoint).
- Ofício delivery arm (paint kit infra): zabbxsoftware[.]com, oauth.openvpnet[.]com (rotated kit / CS C2), 195.177.94[.]103 / .193, 79.110.49[.]32; CS/Shellter loader 7de52b73…296e1f64.
- Compromised delivery (notify CTIR Gov; do NOT paint): timon.ma.gov[.]br, protocolo.sorocaba.sp.gov[.]br, prodoc.ap.gov[.]br, portaldrh.tjba.jus[.]br, marapoama.sp.gov[.]br,poa.sp.gov[.]br, loginam.sesp.es.gov[.]br, aplicacao.cbm.mt.gov[.]br.
Example detonations (our viewer, clickable, not IOCs):
- https://app.any.run/tasks/b842921c-adbb-4286-a174-a8dc69450d32 (representative core; beacons live to 185.219.83[.]191 yet verdict = clean)
- https://app.any.run/tasks/ed34b2bd-123f-4463-9c75-856118618c29 (our 2026‑07‑12 Gate-A re-detonation; live POST zsxocjarsate[.]com/nbw/, verdict Malicious)
- https://app.any.run/tasks/41ce7f62-d97e-4c84-9f70-dfb5fafcfb39 (C2 beacon pierces Cloudflare, reaching the OMEGATECH origin)
- https://app.any.run/tasks/2803b131-be65-428a-b00d-4217c55dd605 (.gov[.]br delivery)
Sources
- Positive Technologies (PT‑ESC), Operation Phantom Enigma, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/operation-phantom-enigma/: actor, Brazil-first victimology, extension-banker arm.
- Positive Technologies (PT‑ESC), Phantom in the flesh: new attacks by Phantom Enigma, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-in-the-flesh-new-attacks-by-phantom-enigma/: getloader.php, KalebAutoRun, MSI banker
- The Hacker News, Malicious Browser Extensions Infect Over 722 Users Across Latin America (2025‑06): 722-install corroboration.
- abuse.ch ThreatFox: taaeiuep[.]com INNOSETUP+ProcuracaoDigital+brazil (conf 75) and 45.141.119[.]188 win.stealc, hxxps://threatfox.abuse[.]ch.
- ANY.RUN Threat Intelligence, the PhantomEnigma boostnote/Node.js/DGA-arm writeup (hunt seed): the only source naming the boostnote/laravel.php arm.
- Ofício-PC arm: Polícia Civil SC public QR-summons alert; ANY.RUN agenteV2 blog
Special Thanks
We would like to thank Rifteyy, an Independent Malware Analyst, for sharing an interesting lead that helped set this investigation in motion. The tip gave our researchers a valuable starting point for further analysis and validation.
ANY.RUN supports open collaboration across the security community. If you have relevant samples or would like to work with us on a joint investigation, contact our team. By sharing expertise and findings, we can expose malicious activity faster and make the threat landscape safer for everyone.
The post Hidden Infrastructure Exposed: ANY.RUN Reveals Hijacked Gov Websites Delivering Malware appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
