20+ Hijacked Government Websites Became an Attack Channel
20+ Hijacked Government Websites Became an Attack Channel
https://thehackernews.com/2026/07/20-hijacked-government-websites.html
Publish Date: 2026-07-16 07:58:00
Source Domain: thehackernews.com
More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions.
The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign putting banks and public agencies at risk.
By connecting hundreds of seemingly unrelated sandbox sessions, ANY.RUN researchers exposed the operation’s broader scope and showed how trusted .gov.br links and authenticated emails helped the activity remain hidden.
For the complete technical analysis, infrastructure details, indicators, and detection guidance, read the full PhantomEnigma investigation report
Trusted Government Infrastructure Became the Lure
The attack began with fake police-themed documents presented as official “Ofício Polícia Civil” or “Procuração Digital” notices. Some contained QR codes, while others directed recipients to links designed to look like legitimate government resources.
![]() |
| Fake police-themed document analyzed inside ANY.RUN sandbox for full visibility into PhantomEnigma attack |
In several cases, the emails were sent through compromised mailboxes and passed SPF, DKIM, and DMARC checks. That gave the messages a stronger appearance of legitimacy than ordinary spoofed phishing emails.
Victims were then redirected through compromised .gov.br hosts or police-themed lookalike domains before reaching the malicious installer. The government systems were used as trusted delivery infrastructure, not necessarily as the final targets of the campaign.
Observed Government Hosts
Among the compromised systems observed during the investigation were timon.ma.gov[.]br, loginam.sesp.es.gov[.]br (state public security), aplicacao.cbm.mt.gov[.]br (fire department), prodoc.ap.gov[.]br,…
