59 Victims, Zero Authentication: A ClickFix Campaign Force-Installs a Chrome Extension Banking Stealer and Leaves the Entire C2 Wide Open
A Brazilian banking fraud operation leveraging ClickFix social engineering was discovered through a community tip, exposing a completely unauthenticated command-and-control infrastructure. The campaign deploys a malicious Chrome extension masquerading as a Banco Central do Brasil tool, force-installed via Chrome Cloud Management enrollment tokens. The extension achieves zero antivirus detections while targeting eight Brazilian financial institutions. At investigation time, 59 machines were compromised with seven active connections. The operator's C2 server exposed all endpoints without authentication, including admin panels, live victim screenshots, stolen credentials in cleartext, and intercepted Pix payment data. Attribution was established through WHOIS records revealing the operator's real name, CPF, and email address. The operation specifically targeted Northern Brazilian regional banks and credit cooperatives, with evidence of compromising a school fund account.
AI Analysis
Technical Summary
This threat involves a banking malware campaign in Brazil that uses ClickFix social engineering to force-install a malicious Chrome extension via Chrome Cloud Management enrollment tokens. The extension masquerades as an official Banco Central do Brasil tool and targets eight financial institutions. The campaign has compromised 59 machines with seven active connections at the time of investigation. The operator's command-and-control server is completely unauthenticated, exposing all endpoints including administrative interfaces, live victim screenshots, stolen credentials in plaintext, and intercepted Pix payment data. Attribution was possible through WHOIS records revealing the operator's real identity. The campaign focuses on Northern Brazilian regional banks and credit cooperatives, with evidence of financial theft from a school fund account.
Potential Impact
The campaign results in credential theft, session hijacking, and interception of Pix payment data from victims. The unauthenticated C2 infrastructure exposes sensitive stolen data and live victim information, increasing the risk of further exploitation or data leakage. At least 59 machines were compromised, affecting multiple Brazilian financial institutions and credit cooperatives. The attack undermines trust in Chrome extensions and cloud management enrollment mechanisms. The exposure of operator identity may aid law enforcement but does not mitigate ongoing risk to victims.
Mitigation Recommendations
No official patch or remediation is indicated. Since the attack uses Chrome Cloud Management enrollment tokens to force-install the malicious extension, organizations should audit and restrict token issuance and enrollment permissions. Remove the malicious Chrome extension from affected machines and monitor for unauthorized extensions. Secure any exposed C2 infrastructure if under organizational control. Users should be alerted to avoid installing suspicious extensions and verify extension sources. Patch status is not yet confirmed — check vendor advisories and security community updates for remediation guidance.
Affected Countries
Brazil
Indicators of Compromise
- ip: 144.126.140.33
- hash: 386d4093f70219b8291d3f9e6f71ee1f
- hash: bdac75f0e71a6e2ee2030259ad5ff7c002ebc98d
- hash: 401c125517b1f845289bf0a7a33e5db0391034f631eab85dd65b76b7fec9a959
- hash: b68eefb10e2c304681532bc0c812c7905888e6b8e47448f1e4bc1edfe7ac193d
- url: http://144.126.140.33:3000
- url: http://144.126.140.33:3000/admin
- url: http://144.126.140.33:3000/api/users
- url: http://144.126.140.33:3000/openapi.json
- url: http://144.126.140.33:5000
- url: http://protocolovirtual.org
- url: http://test1.amanur.com
- url: http://xpie348.online/instalador/get_token.ps1
- url: http://xpie348.online/instalador/update.xml
- domain: amanur.com
- domain: certificadosuporte.com.br
- domain: protocolovirtual.org
- domain: xpie348.online
- domain: test1.amanur.com
59 Victims, Zero Authentication: A ClickFix Campaign Force-Installs a Chrome Extension Banking Stealer and Leaves the Entire C2 Wide Open
Description
A Brazilian banking fraud operation leveraging ClickFix social engineering was discovered through a community tip, exposing a completely unauthenticated command-and-control infrastructure. The campaign deploys a malicious Chrome extension masquerading as a Banco Central do Brasil tool, force-installed via Chrome Cloud Management enrollment tokens. The extension achieves zero antivirus detections while targeting eight Brazilian financial institutions. At investigation time, 59 machines were compromised with seven active connections. The operator's C2 server exposed all endpoints without authentication, including admin panels, live victim screenshots, stolen credentials in cleartext, and intercepted Pix payment data. Attribution was established through WHOIS records revealing the operator's real name, CPF, and email address. The operation specifically targeted Northern Brazilian regional banks and credit cooperatives, with evidence of compromising a school fund account.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a banking malware campaign in Brazil that uses ClickFix social engineering to force-install a malicious Chrome extension via Chrome Cloud Management enrollment tokens. The extension masquerades as an official Banco Central do Brasil tool and targets eight financial institutions. The campaign has compromised 59 machines with seven active connections at the time of investigation. The operator's command-and-control server is completely unauthenticated, exposing all endpoints including administrative interfaces, live victim screenshots, stolen credentials in plaintext, and intercepted Pix payment data. Attribution was possible through WHOIS records revealing the operator's real identity. The campaign focuses on Northern Brazilian regional banks and credit cooperatives, with evidence of financial theft from a school fund account.
Potential Impact
The campaign results in credential theft, session hijacking, and interception of Pix payment data from victims. The unauthenticated C2 infrastructure exposes sensitive stolen data and live victim information, increasing the risk of further exploitation or data leakage. At least 59 machines were compromised, affecting multiple Brazilian financial institutions and credit cooperatives. The attack undermines trust in Chrome extensions and cloud management enrollment mechanisms. The exposure of operator identity may aid law enforcement but does not mitigate ongoing risk to victims.
Mitigation Recommendations
No official patch or remediation is indicated. Since the attack uses Chrome Cloud Management enrollment tokens to force-install the malicious extension, organizations should audit and restrict token issuance and enrollment permissions. Remove the malicious Chrome extension from affected machines and monitor for unauthorized extensions. Secure any exposed C2 infrastructure if under organizational control. Users should be alerted to avoid installing suspicious extensions and verify extension sources. Patch status is not yet confirmed — check vendor advisories and security community updates for remediation guidance.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://intel.breakglass.tech/post/clickfix-chrome-extension-banking-stealer-59-victims-unauthenticated-c2"]
- Adversary
- ANTONIO EDUARDO FREDERICO
- Pulse Id
- 69de47aacc631b04e06bae89
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip144.126.140.33 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash386d4093f70219b8291d3f9e6f71ee1f | — | |
hashbdac75f0e71a6e2ee2030259ad5ff7c002ebc98d | — | |
hash401c125517b1f845289bf0a7a33e5db0391034f631eab85dd65b76b7fec9a959 | — | |
hashb68eefb10e2c304681532bc0c812c7905888e6b8e47448f1e4bc1edfe7ac193d | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://144.126.140.33:3000 | — | |
urlhttp://144.126.140.33:3000/admin | — | |
urlhttp://144.126.140.33:3000/api/users | — | |
urlhttp://144.126.140.33:3000/openapi.json | — | |
urlhttp://144.126.140.33:5000 | — | |
urlhttp://protocolovirtual.org | — | |
urlhttp://test1.amanur.com | — | |
urlhttp://xpie348.online/instalador/get_token.ps1 | — | |
urlhttp://xpie348.online/instalador/update.xml | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainamanur.com | — | |
domaincertificadosuporte.com.br | — | |
domainprotocolovirtual.org | — | |
domainxpie348.online | — | |
domaintest1.amanur.com | — |
Threat ID: 69de4c5382d89c981fa44b81
Added to database: 4/14/2026, 2:16:51 PM
Last enriched: 4/14/2026, 2:31:50 PM
Last updated: 4/14/2026, 8:34:38 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.