Malicious Browser Extensions Compromise Security of Over 700 Users Throughout Latin America Since Early 2025
Cybersecurity researchers have identified an ongoing campaign targeting users in Brazil since the beginning of 2025. This campaign involves the distribution of a malicious extension for Chromium-based web browsers aimed at exfiltrating user authentication data.
As reported by Positive Technologies researcher Klimentiy Galkin, the attackers have employed phishing emails sent from compromised company servers to enhance the effectiveness of their strategy. The malicious extension has been reported to impact Google Chrome, Microsoft Edge, and Brave browsers, alongside other tools like Mesh Agent and PDQ Connect Agent.
Positive Technologies has labeled this operation Operation Phantom Enigma. They found that the malicious extension was downloaded 722 times from various countries, including Brazil, Colombia, the Czech Republic, Mexico, Russia, and Vietnam. Approximately 70 distinct victim organizations have been identified. Initial details of the campaign were shared by a researcher known as @johnk3r in April.
The attack mechanism begins with phishing emails, which masquerade as invoices and initiate a multi-stage process to install the browser extension. Recipients are persuaded to download a file via an embedded link or to open a malicious attachment within an archive.
Embedded within these files is a batch script that is responsible for downloading and executing a PowerShell script. This script performs various checks, including assessing whether it operates within a virtualized environment and verifying the presence of Diebold Warsaw software.
Diebold Warsaw, developed by GAS Tecnologia, is a security plugin designed to secure online banking and e-commerce transactions across Brazil. Notably, Latin American banking trojans like Casbaneiro have adopted similar functionalities, as previously disclosed by ESET in 2019.
The PowerShell script is engineered to disable User Account Control (UAC), configure persistence by ensuring the batch script executes automatically upon system reboot, and establish a connection with a remote server for executing additional commands.
The supported command set comprises:
- PING – Sends a heartbeat to the server and responds with “PONG”
- DISCONNECT – Terminates the active script process on the victim’s system
- REMOVEKL – Uninstalls the script
- CHECAEXT – Verifies the existence of the malicious browser extension in the Windows Registry, returning OKEXT if found, or NOEXT if absent
- STARTSCREEN – Installs the extension by amending the
Blog36Cybercriminals Exploit Inferno Drainer to Misappropriate $43K from CoinMarketCap Users
Scammers have leveraged a sophisticated tool known as Inferno Drainer to illicitly acquire approximately $43,000 in cryptocurrency from 110 users…
Blog36Cyber Fattah Exposes Data from Saudi Games in Suspected Iranian OperationThousands of personal records linked to athletes and attendees of the Saudi Games have been compromised due to a cyber-attack…
Blog32China-Linked Salt Typhoon Exploits Critical Cisco Vulnerability to Compromise Canadian Telecommunications SectorThe Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) have issued an advisory regarding cyber…
Blog294ChatGPT Launches O3-PRO Model Exclusively for $200 Professional SubscribersOpenAI is set to release an update for ChatGPT that will activate the new o3 Pro model, which boasts enhanced…
Blog228Exploitation of Critical Vulnerability in vBulletin Forum Software by Cyber Threat ActorsRecent discoveries have identified two critical vulnerabilities in the open-source forum software vBulletin, one of which is confirmed to be…
Blog226Windows 10 KB5058481 Update Restores Seconds Display in Calendar FlyoutMicrosoft has released the KB5058481 preview cumulative update for Windows 10 22H2, which introduces several enhancements, including the restoration of…