{"id":1907,"date":"2025-06-08T11:01:00","date_gmt":"2025-06-08T08:01:00","guid":{"rendered":"https:\/\/trustcrypt.com\/malicious-browser-extensions-compromise-security-of-over-700-users-throughout-latin-america-since-early-2025\/"},"modified":"2025-06-08T11:01:00","modified_gmt":"2025-06-08T08:01:00","slug":"malicious-browser-extensions-compromise-security-of-over-700-users-throughout-latin-america-since-early-2025","status":"publish","type":"post","link":"https:\/\/trustcrypt.com\/ar\/malicious-browser-extensions-compromise-security-of-over-700-users-throughout-latin-america-since-early-2025\/","title":{"rendered":"Malicious Browser Extensions Compromise Security of Over 700 Users Throughout Latin America Since Early 2025"},"content":{"rendered":"

Cybersecurity researchers have identified an ongoing campaign targeting users in Brazil since the beginning of 2025. This campaign involves the distribution of a malicious extension for Chromium-based web browsers aimed at exfiltrating user authentication data.<\/p>\n

As reported by Positive Technologies researcher Klimentiy Galkin, the attackers have employed phishing emails sent from compromised company servers to enhance the effectiveness of their strategy. The malicious extension has been reported to impact Google Chrome, Microsoft Edge, and Brave browsers, alongside other tools like Mesh Agent and PDQ Connect Agent.<\/p>\n

Positive Technologies has labeled this operation Operation Phantom Enigma<\/strong>. They found that the malicious extension was downloaded 722 times from various countries, including Brazil, Colombia, the Czech Republic, Mexico, Russia, and Vietnam. Approximately 70 distinct victim organizations have been identified. Initial details of the campaign were shared by a researcher known as @johnk3r<\/a> in April.<\/p>\n

The attack mechanism begins with phishing emails, which masquerade as invoices and initiate a multi-stage process to install the browser extension. Recipients are persuaded to download a file via an embedded link or to open a malicious attachment within an archive.<\/p>\n

Embedded within these files is a batch script that is responsible for downloading and executing a PowerShell script. This script performs various checks, including assessing whether it operates within a virtualized environment and verifying the presence of Diebold Warsaw software.<\/p>\n

Diebold Warsaw, developed by GAS Tecnologia, is a security plugin designed to secure online banking and e-commerce transactions across Brazil. Notably, Latin American banking trojans like Casbaneiro have adopted similar functionalities, as previously disclosed by ESET in 2019.<\/p>\n

The PowerShell script is engineered to disable User Account Control (UAC), configure persistence by ensuring the batch script executes automatically upon system reboot, and establish a connection with a remote server for executing additional commands.<\/p>\n

The supported command set comprises:<\/p>\n