EnigmaCyberSecurity: Brazil-Focused Banking Malware Campaign Uses RATs and Malicious Extensions
Ddos 
Attack chain using a browser extension | Image: Positive Technologies
Positive Technologies has uncovered an ongoing, multi-stage cybercrime campaignβdubbed βEnigmaCyberSecurityββprimarily targeting Brazilian users and financial institutions. The operation leverages phishing emails, malicious browser extensions, and remote access trojans (RATs) to harvest sensitive banking data and infiltrate corporate systems. According to the researchers, attacks have been active since the beginning of 2025 and have already impacted victims in Brazil, Mexico, Colombia, Czech Republic, Russia, Vietnam, and beyond.
The campaign begins with phishing emails disguised as invoices, often sent from servers of compromised companiesβa tactic that dramatically increases success rates. One of the first-stage payloads is a BAT script that escalates privileges, installs PowerShell modules, and retrieves a remote script designed to evade detection.
βThe attackers used a malicious extension for Google Chrome, Microsoft Edge, and Brave browsers,β Positive Technologies noted, βas well as Mesh Agent and PDQ Connect Agent.β
The main of the browser attack chain is a malicious extension posing as a legitimate update, delivered via Chromeβs extension store and Inno Setup/MSI installers. Once installed, it monitors interactions with Banco do Brasil’s online platform. Deobfuscated code revealed that:
- Login and password fields were exfiltrated to financial-executive.com
- A unique victim identifier (eindeutigeKennung) is generated for targeted tracking
- Fake QR codes and loading events simulate bank interactions to trick users
- The extension leverages Chrome’s API hooks like onBeforeRequest and onMessage to extract login tokens and passwords.
βThe attackers collect confidential user information used for authentication in a specific service (presumably Banco do Brasil),β researchers concluded.
The second attack vector involves Mesh Agent, a legitimate remote access tool abused for stealthy persistence and infrastructure infiltration. Delivered via phishing MSI files, it connects to the attackers’ custom server at mesh.computadorpj.com.
Unlike the browser extensionβwhich targets individualsβMesh Agent enables lateral movement across enterprise networks, posing a serious threat to businesses.
βThe RAT attack enables attackers to spread across the infected infrastructure, whereas the malicious extension attack targets only a single user device.β
Investigators identified a vast infrastructure including:
- Malicious domains: computadorpj.com, clientepj.com, ranchocentral.com
- C2 IPs: 142.54.185.178, 107.174.231.26
- Removed extensions: nplfchpahihleeejpjmodggckakhglee, ckkjdiimhlanonhceggkfjlmjnenpmfm
Despite removal from Chrome Web Store, the extensions were downloaded over 700 times, with attackers relying on compromised corporate websites to spread malicious links. One such page still live asks visitors to “Enter the victimβs email address below“βan indicator of mass-targeted phishing via compromised infrastructure.
βThe attackers’ goal is to steal authentication data from the victimsβ bank accounts,β Positive Technologies concluded.
Organizations and users alike must remain vigilant, especially in regions with active campaigns. Recommendations include:
- Block indicators of compromise (IoCs)
- Audit browser extensions
- Detect Mesh Agent anomalies
- Educate users on invoice-based phishing
Related Posts:
- Mesh Wi-Fi Hack (CVSS 9.1): Design Flaw Enables Frame Injection (PoC Available)
- Apple Forced: Third-Party Apps Coming to Brazilian iOS
- Trojan Malware Infiltrates Browser Extensions, Impacts 300,000 Users
- Critical Meshtastic RCE Vulnerability (CVE-2025-24797) Requires Urgent Update
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
