New Malware Attack Deploys Malicious Chrome & Edge Extensions to Steal Data

A newly identified malware campaign is actively targeting users across Brazil and several other countries by distributing malicious browser extensions for Google Chrome, Microsoft Edge, and Brave.

Security experts from Positive Technologies report that the campaign, dubbed “Phantom Enigma,” began in early 2025 and leverages phishing emails originating from compromised business servers to increase the likelihood of successful infection.

Technical Attack Flow

The attack is initiated via tailored phishing messages, typically masquerading as invoices or important documents.

These emails either contain malicious attachments (such as BAT or MSI files) or links to download malware-laden installers.

Once executed, the BAT scripts ensure the payload is run with administrative privileges, downloads a PowerShell script, and checks if it’s running within a virtual environment evading analysis and sandboxing.

The PowerShell script then establishes persistence by registering itself in the Windows startup registry (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) and disables User Account Control for further system compromise.

A core component of the campaign is the deployment of malicious extensions. Through manipulation of registry keys (HKLM\Software\Policies\Google\Chrome\ExtensionInstallForcelist), the attacker forces Chrome, Edge, or Brave to silently install rogue extensions from external sources or local files.

These extensions are designed to intercept banking credentials and authentication tokens, particularly targeting the Banco do Brasil’s online services.

The malicious code in the extensions utilizes background JavaScript to monitor web requests, capture credentials, and exfiltrate data to remote command-and-control (C2) servers, including financial-executive.com.

Multi-Vector Distribution

In addition to browser extension attacks, researchers found that the same infrastructure is used to distribute Remote Access Tools (RATs) such as Mesh Agent and PDQ Connect Agent.

These RATs are delivered via MSI installers and are capable of cross-platform infections, including Windows, Linux, and macOS, supporting various processor architectures.

Once installed, Mesh Agent connects to its C2 infrastructure via secure WebSocket and HTTPS channels, granting attackers full remote control and the ability to laterally move within corporate networks.

Unlike the extension-based attack (which hijacks a single user session), the RAT deployment threatens entire organizational infrastructures, allowing attackers to pivot, escalate privileges, and propagate across a network.

Extensive analysis revealed a clustered infrastructure involving multiple domains often sharing a single IP address or TLS certificate.

The campaign utilizes domains such as computadorpj.com, clientepj.com, and financial-executive.com, with frequent overlap in hosting and certificate metadata to obscure attribution and facilitate rapid domain swapping in case of takedown.

Malicious extensions are distributed both from the Chrome Web Store (now removed) and via local injection techniques specifically modifying browser LNK (shortcut) files to include the --load-extension parameter, thereby loading extension code stored in hidden directories.

While Brazil remains the primary target, compromised entities span Colombia, Mexico, Vietnam, Russia, and Europe with over 700 confirmed malicious extension downloads.

Attackers focus on stealing online banking credentials, and organizational victims have also been leveraged to send phishing emails, worsening the campaign’s spread.

Security teams are advised to monitor for persistence mechanisms in registry and LNK files, scrutinize network traffic to suspicious domains, and audit browser extension installations for unauthorized entries.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates