Close Menu
    What's Hot

    Venezuela earthquake: Number of known dead rises to nearly 5,000 victims | Earthquakes News

    San Francisco mayor pushes for tougher rules after the Waymo traffic fiasco

    20+ Hijacked Government Websites Became
an Attack Channel

    Facebook X (Twitter) Instagram
    Trending
    • Venezuela earthquake: Number of known dead rises to nearly 5,000 victims | Earthquakes News
    • San Francisco mayor pushes for tougher rules after the Waymo traffic fiasco
    • 20+ Hijacked Government Websites Became
an Attack Channel
    • Truth Social is selling real-time access to posts that could move the markets
    • Opinion | The Left Needs to Reclaim Its Optimism
    • Warnock and Ossoff, Georgia’s Senators, Ridicule Trump’s Election Fraud Claims
    • PBF Energy: Refining Boom Appears Stronger Than Ever (NYSE:PBF)
    • Celtic transfer news: Scottish Premiership champions struggling to compete in market, meeting notes reveal | Football News
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    20+ Hijacked Government Websites Became
an Attack Channel

    adminBy adminJuly 16, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    20+ Hijacked Government Websites Became
an Attack Channel
    Share
    Facebook Twitter LinkedIn Pinterest Email

    The Hacker NewsJul 16, 2026Malware / Endpoint Security

    20+ Hijacked Government Websites Became
an Attack Channel

    More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions.

    The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign putting banks and public agencies at risk.

    By connecting hundreds of seemingly unrelated sandbox sessions, ANY.RUN researchers exposed the operation’s broader scope and showed how trusted .gov.br links and authenticated emails helped the activity remain hidden.

    For the complete technical analysis, infrastructure details, indicators, and detection guidance, read the full PhantomEnigma investigation report

    Trusted Government Infrastructure Became the Lure

    The attack began with fake police-themed documents presented as official “Ofício Polícia Civil” or “Procuração Digital” notices. Some contained QR codes, while others directed recipients to links designed to look like legitimate government resources.

    Fake police-themed document analyzed inside ANY.RUN sandbox for full visibility into PhantomEnigma attack

    In several cases, the emails were sent through compromised mailboxes and passed SPF, DKIM, and DMARC checks. That gave the messages a stronger appearance of legitimacy than ordinary spoofed phishing emails.

    Victims were then redirected through compromised .gov.br hosts or police-themed lookalike domains before reaching the malicious installer. The government systems were used as trusted delivery infrastructure, not necessarily as the final targets of the campaign.

    Observed Government Hosts

    Among the compromised systems observed during the investigation were timon.ma.gov[.]br, loginam.sesp.es.gov[.]br (state public security), aplicacao.cbm.mt.gov[.]br (fire department), prodoc.ap.gov[.]br, and others.

    TI Lookup query that involves compromised government hosts

    These legitimate municipal, public-security, and judicial portals were used at different stages of the delivery chain. Several also appeared across more than one PhantomEnigma attack arm, helping researchers connect activity that initially looked unrelated.

    PhantomEnigma’s Evolution: Two Paths to Harder Detection

    Timeline of PhantomEnigma’s malisious activity

    The timeline shows one operation evolving along two main paths:

    Delivery: PhantomEnigma moved from banking-focused activity in 2025 to abusing compromised .gov.br websites and email accounts in 2026. This gave the campaign a more trusted route to victims without confirming a new target group.

    Arsenal: The malware evolved from a browser-extension banker into a modular Inno/Node.js backdoor capable of executing JavaScript and delivering additional payloads.

    For security teams, this combination creates a serious visibility gap. Trusted infrastructure reduces suspicion, modular payloads can change after infection, and rotating C2 domains quickly make static blocklists outdated. Behavioral analysis and continuous threat hunting provide more reliable coverage as the campaign evolves.

    From Trusted Email to Full Compromise: The PhantomEnigma Attack Chain

    The analysis process of PhantomEnigma inside interactive sandbox

    Once a victim engaged with the lure, the campaign moved through a multi-stage infection chain:

    1. Phishing email: A fake police-themed or official-document lure reaches the victim.
    2. Trusted infrastructure: The link redirects through a compromised government host or police-themed lookalike domain.
    3. Malicious installer: An Inno Setup, MSI, or another installer starts the infection.
    4. Patched Electron application: Legitimate software loads a malicious index.js backdoor.
    5. Backdoor activation: The malware collects system data, establishes persistence, and connects to rotating C2 infrastructure.
    6. Second-stage delivery: The backdoor executes JavaScript or delivers stealers, loaders, RMM software, and other malware.
    7. Business impact: The infection can lead to credential compromise, unauthorized access, fraud, data exposure, and operational disruption.

    What Researchers Found Inside PhantomEnigma’s Backdoor

    The sandbox sessions exposed more than a simple downloader. Hidden inside a patched Boostnote and other applications was a modular index.js backdoor built to identify infected machines, maintain access, and deliver different payloads on demand.

    Once activated, the backdoor could:

    • Collect the victim’s computer name, username, and system details
    • Create a persistent machine ID and read a campaign tag stored beside the installer
    • Establish persistence through login settings
    • Check for new commands every 180 seconds
    • Execute JavaScript directly through eval()
    • Download and launch executable payloads
    • Communicate through multiple beacon formats across rotating infrastructure

    This modular design allows the operator to change the final payload without rebuilding the entire infection chain. A system initially exposed to the same installer could later receive a stealer, loader, remote management tool, or another executable, making both detection and containment more difficult.

    A Warning for Banks and Public Agencies

    PhantomEnigma shows how attackers can turn trusted infrastructure into a detection advantage. A legitimate government domain, authenticated email, or clean file verdict may lower suspicion even when the infection chain is already active.

    For banks and public-sector organizations, the risk extends beyond one compromised endpoint. Stolen credentials and persistent backdoor access can expose internal systems, sensitive data, and financial operations, while fragmented alerts delay containment.

    Security teams should give employees a safe way to report suspicious official-looking messages and investigate them beyond the initial verdict. Catching the trusted lure early can prevent credential theft, additional payload delivery, and a wider operational incident.

    Get PhantomEnigma IOCs, infrastructure findings, and detection guidance to strengthen threat hunting and response.

    Access Full Report

    Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

    attack Becamean channel government Hijacked websites
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleTruth Social is selling real-time access to posts that could move the markets
    Next Article San Francisco mayor pushes for tougher rules after the Waymo traffic fiasco
    admin
    • Website

    Related Posts

    New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

    July 16, 2026

    Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

    July 16, 2026

    Iran condemns ‘barbaric’ US attack near children’s cancer hospital | US-Israel war on Iran News

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Venezuela earthquake: Number of known dead rises to nearly 5,000 victims | Earthquakes News

    San Francisco mayor pushes for tougher rules after the Waymo traffic fiasco

    20+ Hijacked Government Websites Became
an Attack Channel

    Truth Social is selling real-time access to posts that could move the markets

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by