Pular para o conteúdo principal
Close
Security

PhantomEnigma: When Trusted Infrastructure Becomes the Weapon

Gabriel Ferraresi· CEO | Tech86July 16, 20264 min
securityphantomenigmagov-brbanking-malwarethreat-huntingedrwafzero-trust

20 Brazilian government portals were hijacked to deliver malware. Criminals compromised .gov.br sites, domains that your company probably trusts by default, and turned them into banking malware delivery infrastructure. The campaign is called PhantomEnigma, detailed by ANY.RUN on July 16, 2026. We analyzed the technique and the signal is clear: when trusted infrastructure is compromised, the layers of trust become blindness.

The layered technique: legitimate email, legitimate domain, real malware

The attack works in layers, according to ANY.RUN. First, they compromise email boxes of police departments. These emails pass SPF, DKIM and DMARC because they are genuine. The email box was breached, and the messages came from inside the legitimate server. The recipient receives a Police Civil Summons or an Official Letter that looks legitimate because technically it is legitimate.

The email redirects to a compromised .gov.br portal. The site, which your security tool does not block because it trusts the domain, delivers a modular Node.js backdoor hidden inside a modified Electron application. Each layer abuses a legitimate trust. It is not a security bypass. It is the correct use of security turned against the victim.

The confirmed target: Banco do Brasil and the Warsaw plugin

According to ANY.RUN, the confirmed target of the campaign is Banco do Brasil. The malware checks whether the victim accesses autoatendimento.bb.com.br and looks for Warsaw, Brazil's banking security plugin. This is not generic malware. It is specific banking malware, built to interact with the authentication infrastructure of a Brazilian bank.

The modular Node.js backdoor inside the modified Electron app is the campaign's signature. Signatures do not catch it because the malware is new and because it hides inside a legitimate framework. Signature detection depends on knowing the payload. Behavioral detection depends on understanding what the payload does.

The scale: 231 analyses, 60.3% in Brazil, active campaign

According to ANY.RUN, 231 sandbox analyses were recorded between January and July 2026. Brazil represents 60.3% of the delivery cluster. The campaign remains active. This is not an isolated incident. It is a continuous operation that abuses institutional trust in .gov.br domains.

CTIR Gov issued Recommendation 02/2026 in September 2025. The campaign continues in July 2026. An official recommendation is necessary, but it does not replace behavioral detection at the endpoint, WAF at the edge, and a 24/7 SOC watching the traffic.

The kill chain: from email to beacon every 180 seconds

The PhantomEnigma kill chain is deliberate and patient, according to ANY.RUN. The legitimate email opens the door. The compromised .gov.br portal delivers the payload. The modular Node.js backdoor inside the modified Electron app establishes persistence on the endpoint. And then the malware starts communicating with the command and control infrastructure.

According to ANY.RUN, the campaign maintains beacons every 180 seconds. That interval is not random. It is calibrated to blend into the normal background traffic of a corporate endpoint, avoiding volume-based alerts in SIEMs configured to detect spikes. A beacon every 3 minutes is quiet enough to go unnoticed by teams that are not doing active threat hunting. That is exactly the pattern a 24/7 SOC with threat hunting needs to identify: not the spike, but the constancy.

The modularity of the backdoor is the second detail that matters. Because it runs in Node.js inside Electron, the attacker can inject new modules at runtime, adapting the malware behavior without needing a new deploy. That means today's signature may not work tomorrow. Behavioral detection at the endpoint is not an option. It is the only layer that keeps up with a payload that changes.

The structural problem: trust by reputation becomes blindness

Here is the structural problem. Your security policy trusts .gov.br. Your email tool trusts SPF, DKIM and DMARC. When the trusted infrastructure is compromised, those layers of trust become blindness.

The email passes because the server is legitimate. The site is not blocked because the domain is trusted. The malware is not detected because the signature is unknown. Each layer of trust works correctly. The problem is that the infrastructure behind it was compromised. Zero Trust is not a slogan. It is the only architectural answer to an attack that abuses exactly the trust you already hold.

We see this pattern repeatedly in corporate security audits. A reputation-based domain allowlist is treated as the definitive control, when it should only be the first layer. When the trusted origin is compromised, the allowlist becomes the vulnerability itself. WAF at the edge with Virtual Patching and behavioral EDR at the endpoint exist exactly for this scenario: validate what the traffic does, not just where it comes from.

Conclusion: when trusted infrastructure becomes the weapon

When the infrastructure you trust becomes the weapon, trust by reputation becomes vulnerability. PhantomEnigma does not exploit a code bug. It exploits the legitimate trust in .gov.br domains, in SPF, DKIM and DMARC, in police departments. The defense is no longer a patch. It is behavior, edge, endpoint, and continuous vigilance. At Tech86, we operate a 24/7 SOC with active threat hunting exactly for this scenario: when trusted infrastructure becomes the weapon, we are watching.

blog.cta_product_title

blog.cta_product_subtitle

24/7 SOC with Threat Hunting

Frequently Asked Questions

PhantomEnigma is a banking malware campaign detailed by ANY.RUN on July 16, 2026. According to ANY.RUN, 20 .gov.br portals were hijacked to deliver malware. Criminals compromised .gov.br sites, domains that companies trust by default, and turned them into banking malware delivery infrastructure. The confirmed target is Banco do Brasil, with the malware checking access to autoatendimento.bb.com.br and looking for Warsaw, Brazil's banking security plugin.

Because they are genuine. According to ANY.RUN, the criminals compromise email boxes of police departments. These emails pass SPF, DKIM and DMARC because the email box was breached, and the messages come from inside the legitimate server. The recipient receives a Police Civil Summons or an Official Letter that looks legitimate because technically it is legitimate. SPF, DKIM and DMARC are not broken. They work correctly. The problem is that the trusted infrastructure was compromised.

The structural problem is that your security policy trusts .gov.br and your email tool trusts SPF, DKIM and DMARC. When the trusted infrastructure is compromised, those layers of trust become blindness. Your security tool does not block the site because it trusts the domain. The email passes because it is technically legitimate. The layers that should protect you become blind spots exactly when they matter most.

According to ANY.RUN's analysis, defense requires five layers: stop trusting domains by reputation and validate behavior; deploy WAF with Virtual Patching at the edge to detect anomalous traffic from legitimate domains; behavioral EDR at the endpoint because the malware is new and signatures do not catch it; phishing simulation with compromised trusted source scenarios because the human is the last line; and a 24/7 SOC with threat hunting because the campaign maintains beacons every 180 seconds.

CTIR Gov issued Recommendation 02/2026 in September 2025. According to ANY.RUN, the campaign remains active in July 2026, with 231 sandbox analyses between January and July and Brazil representing 60.3% of the delivery cluster. An official recommendation does not replace behavioral detection, EDR at the endpoint, and a 24/7 SOC. When the infrastructure you trust becomes the weapon, trust by reputation becomes vulnerability.

Blog — Get in Touch

Have a question about our articles or services? Our team is ready to help.

Schedule a Meeting

Book a time slot.

Schedule Now

Email

Send us a message.

[email protected]

WhatsApp

Quick conversation.

Address

Avenida Paulista, 1636 - São Paulo - SP - 01310-200

Tech86 Specialist

Online now

Hello! How can we help scale your business today?

Tech86 Engineering

We Value Your Privacy

We use cookies and similar technologies to optimize your experience, analyze site traffic, and personalize content. By clicking "Accept All", you agree to the use of all cookies. Read our Privacy Policy.