Researchers have uncovered a stealthy phishing campaign using fake invoices to deploy browser-based malware to steal banking credentials.
A new malware campaign dubbed Operation Phantom Enigma has infected over 700 users since early 2025, primarily in Brazil but also affecting users in Colombia, Mexico, and other countries. The campaign uses phishing emails disguised as invoices to trick victims into installing a malicious browser extension capable of stealing sensitive authentication data.
Researchers at Positive Technologies identified that attackers exploited compromised business email servers to distribute phishing messages. Once recipients opened the link or attachment, a multi-stage infection process began, culminating in installing a rogue extension on Chromium-based browsers like Google Chrome, Microsoft Edge, and Brave.
The attack chain starts with a batch file that downloads and runs a PowerShell script. This script checks for virtual machines, disables User Account Control (UAC), sets up persistence, and connects to a command-and-control server for further instructions.
The extension installation is enforced using Windows policies to bypass user consent. Once installed, the extension monitors browsing activity and triggers malicious actions specifically when the user accesses banking sites like Banco do Brasil. These include harvesting authentication tokens and injecting malicious JavaScript or QR codes designed to manipulate user behavior.
Three malicious Chrome extension IDs associated with the campaign have since been removed from the Chrome Web Store. In some cases, the attackers used alternate methods like Windows Installer or Inno Setup installers to deploy the extension or install remote access tools such as MeshCentral Agent or PDQ Connect Agent.
Evidence also shows the attackers maintained an open directory with auxiliary scripts, revealing the use of an identifier, EnigmaCyberSecurity, possibly linking the infrastructure or campaign identity.
“The study highlights the use of rather unique techniques in Latin America, including a malicious browser extension and distribution via Windows Installer and Inno Setup installers,” said Klimentiy Galkin, a security researcher at Positive Technologies.
The campaign’s focus remained heavily concentrated on Brazilian banking users, even though the attackers compromised email servers across multiple countries. Galkin noted that compromising corporate systems was likely a tactic to boost the credibility of phishing emails.
Attackers use group policy manipulation like the ExtensionInstallForcelist which allows extensions to be installed without any user prompts on Chromium-based browsers.
Diebold Warsaw is a banking security plugin common in Brazil. Malware often avoids systems running it to reduce the risk of detection or interference during financial transactions.
The commands like WARTEN and CODE_ZUM_LESEN may suggest the attackers repurposed code from other malware or are using language obfuscation as misdirection.
These formats are commonly trusted by users and antivirus tools, allowing attackers to package malicious scripts in formats that seem legitimate and reduce suspicion.
They should immediately audit email activity, change credentials, investigate any web shell or persistence, and notify clients who may have received spoofed communications.