Cybersecurity researchers have uncovered a new campaign targeting Brazilian users in 2025 with a malicious browser extension for Chromium-based browsers to steal user authentication data.
According to Positive Technologies, the attackers used a malicious extension for Google Chrome, Microsoft Edge, Brave browsers, as well as Mesh Agent and PDQ Connect Agent, to carry out the attacks.
The campaign, known as “Operation Phantom Enigma,” saw the malicious extension being downloaded 722 times in countries such as Brazil, Colombia, Czech Republic, Mexico, Russia, and Vietnam, affecting 70 unique victim companies.
The attack initiates with phishing emails posing as invoices that lead to the deployment of the browser extension through a multi-stage process.
The PowerShell script used in the attack disables User Account Control, sets up persistence, and establishes a connection with a remote server to await further instructions.
- PING – Send a heartbeat message to the server
- DISCONNECT – Stop the current script process
- REMOVEKL – Uninstall the script
- CHECAEXT – Check for a malicious browser extension
- START_SCREEN – Install the extension in the browser
The identified malicious extensions have already been removed from the Chrome Web Store.
Further investigation revealed that the attackers leveraged invoice-related lures to distribute installer files and deploy remote access software instead of a browser extension.
The attackers’ main goal is to steal authentication data from victims’ bank accounts.
