20 Brazilian government portals were hijacked to deliver malware. Criminals compromised .gov.br sites, domains that your company probably trusts by default, and turned them into banking malware delivery infrastructure. The campaign is called PhantomEnigma, detailed by ANY.RUN on July 16, 2026. We analyzed the technique and the signal is clear: when trusted infrastructure is compromised, the layers of trust become blindness.
The layered technique: legitimate email, legitimate domain, real malware
The attack works in layers, according to ANY.RUN. First, they compromise email boxes of police departments. These emails pass SPF, DKIM and DMARC because they are genuine. The email box was breached, and the messages came from inside the legitimate server. The recipient receives a Police Civil Summons or an Official Letter that looks legitimate because technically it is legitimate.
The email redirects to a compromised .gov.br portal. The site, which your security tool does not block because it trusts the domain, delivers a modular Node.js backdoor hidden inside a modified Electron application. Each layer abuses a legitimate trust. It is not a security bypass. It is the correct use of security turned against the victim.
The confirmed target: Banco do Brasil and the Warsaw plugin
According to ANY.RUN, the confirmed target of the campaign is Banco do Brasil. The malware checks whether the victim accesses autoatendimento.bb.com.br and looks for Warsaw, Brazil's banking security plugin. This is not generic malware. It is specific banking malware, built to interact with the authentication infrastructure of a Brazilian bank.
The modular Node.js backdoor inside the modified Electron app is the campaign's signature. Signatures do not catch it because the malware is new and because it hides inside a legitimate framework. Signature detection depends on knowing the payload. Behavioral detection depends on understanding what the payload does.
The scale: 231 analyses, 60.3% in Brazil, active campaign
According to ANY.RUN, 231 sandbox analyses were recorded between January and July 2026. Brazil represents 60.3% of the delivery cluster. The campaign remains active. This is not an isolated incident. It is a continuous operation that abuses institutional trust in .gov.br domains.
CTIR Gov issued Recommendation 02/2026 in September 2025. The campaign continues in July 2026. An official recommendation is necessary, but it does not replace behavioral detection at the endpoint, WAF at the edge, and a 24/7 SOC watching the traffic.
The kill chain: from email to beacon every 180 seconds
The PhantomEnigma kill chain is deliberate and patient, according to ANY.RUN. The legitimate email opens the door. The compromised .gov.br portal delivers the payload. The modular Node.js backdoor inside the modified Electron app establishes persistence on the endpoint. And then the malware starts communicating with the command and control infrastructure.
According to ANY.RUN, the campaign maintains beacons every 180 seconds. That interval is not random. It is calibrated to blend into the normal background traffic of a corporate endpoint, avoiding volume-based alerts in SIEMs configured to detect spikes. A beacon every 3 minutes is quiet enough to go unnoticed by teams that are not doing active threat hunting. That is exactly the pattern a 24/7 SOC with threat hunting needs to identify: not the spike, but the constancy.
The modularity of the backdoor is the second detail that matters. Because it runs in Node.js inside Electron, the attacker can inject new modules at runtime, adapting the malware behavior without needing a new deploy. That means today's signature may not work tomorrow. Behavioral detection at the endpoint is not an option. It is the only layer that keeps up with a payload that changes.
The structural problem: trust by reputation becomes blindness
Here is the structural problem. Your security policy trusts .gov.br. Your email tool trusts SPF, DKIM and DMARC. When the trusted infrastructure is compromised, those layers of trust become blindness.
The email passes because the server is legitimate. The site is not blocked because the domain is trusted. The malware is not detected because the signature is unknown. Each layer of trust works correctly. The problem is that the infrastructure behind it was compromised. Zero Trust is not a slogan. It is the only architectural answer to an attack that abuses exactly the trust you already hold.
We see this pattern repeatedly in corporate security audits. A reputation-based domain allowlist is treated as the definitive control, when it should only be the first layer. When the trusted origin is compromised, the allowlist becomes the vulnerability itself. WAF at the edge with Virtual Patching and behavioral EDR at the endpoint exist exactly for this scenario: validate what the traffic does, not just where it comes from.
Conclusion: when trusted infrastructure becomes the weapon
When the infrastructure you trust becomes the weapon, trust by reputation becomes vulnerability. PhantomEnigma does not exploit a code bug. It exploits the legitimate trust in .gov.br domains, in SPF, DKIM and DMARC, in police departments. The defense is no longer a patch. It is behavior, edge, endpoint, and continuous vigilance. At Tech86, we operate a 24/7 SOC with active threat hunting exactly for this scenario: when trusted infrastructure becomes the weapon, we are watching.