Brazilian Government Sites Turned Into Malware Traps in PhantomEnigma Campaign

Attackers quietly took over more than 20 official .gov.br domains and used them to push a stealthy backdoor, according to new analysis from ANY.RUN.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal news-editorial image of a dimly lit government office at night, a single desktop monitor glowing with an abstract green download progress b
Share

Key points

  • ANY.RUN's threat intelligence team disclosed a campaign, tracked as PhantomEnigma, that hijacked more than 20 Brazilian government websites and used them to serve malware.
  • The trusted .gov.br domains were used to deliver a previously undocumented backdoor, meaning a hidden program that lets attackers control an infected computer remotely.
  • Investigators found several attack arms sharing hidden infrastructure, suggesting one coordinated operation rather than opportunistic defacements.
  • The campaign is still active, and any Brazilian citizen who downloaded files from an official state site in recent weeks should treat their machine as potentially exposed.

Here is the short version. Criminals broke into more than 20 Brazilian government websites and quietly turned them into malware vending machines. Anyone visiting those pages, expecting a form or a public document, could end up with spyware on their computer instead.

The campaign is called PhantomEnigma. It was uncovered by ANY.RUN, a company that runs suspicious files in a sealed test environment to see what they do. Their writeup, picked up by The Hacker News, describes a coordinated operation with several moving parts.

How did the hackers get in?

The researchers have not published a full root cause yet, but the pattern is familiar. In practice, campaigns like this usually start with a weak content management system on the government host, an outdated plugin, or stolen admin credentials from a phishing email, where criminals send fake login pages to trick staff into handing over their passwords.

Once inside, the attackers did not deface the sites. That would have set off alarms. Instead they left the pages looking normal and slipped malicious downloads underneath. A visitor sees a legitimate .gov.br address in the browser bar and trusts it. That trust is the whole point of the attack.

The payload is a backdoor that had not been documented before. A backdoor is a hidden program that gives an outsider remote control of the infected machine: reading files, watching keystrokes, installing more malware later. ANY.RUN says it also found infrastructure links tying several apparently separate attacks back to the same operator.

Why hijack a government site instead of building a fake one?

Because the padlock and the official domain do the persuasion work for you. Security filters, email gateways and even careful users are far less likely to block a link to a real .gov.br address. The failure mode here is trust in the domain rather than trust in the file.

That also makes this harder to clean up. Every hijacked site needs its own incident response: find the web shell, meaning the small script the attackers use to keep access, rebuild the server, rotate every credential, and check the backups were not poisoned too. Multiply that by 20-plus agencies, most of which do not share a single security team, and you get weeks of work.

What should ordinary people do?

If you downloaded a document, form or installer from a Brazilian government website in the last few weeks and something felt off, an unexpected prompt, a file that asked to run as administrator, a browser warning you clicked past, get the machine scanned by up-to-date antivirus. Change the passwords you have typed since then, especially for banking and email. Turn on two-factor authentication, which is the second code sent to your phone, on any account that offers it.

For the agencies themselves, one thing the postmortem will say is that nobody was watching outbound traffic from the web servers. Hijacked government sites do not usually need to talk to anonymous hosting providers. When they do, that should page someone.

Operational takeaway: if your public website is trusted by citizens, treat every file it serves as a signed release, not a folder you can write to.

© 2026 Threat Vectr