In less than a year, Teste PHP built a financial crime operation that stretched across five countries and three continents — without sophisticated malware, without a large team, and without conducting a single traditional phishing campaign. Instead, they weaponized the browser itself.
Teste PHP is a financially motivated intrusion set targeting Portuguese and Spanish-speaking banking customers and cryptocurrency users across Brazil, Portugal, Chile, Spain, and Mexico. Their method of choice: malicious browser extensions that silently infiltrate the browser session and harvest credentials in real time. The victim doesn’t click a fake link or download a suspicious file — they simply log into their bank or crypto exchange, unaware that an extension installed weeks earlier is watching every keystroke.
The campaign reach grew fast. Within nine months of first observed activity in May 2025, Teste PHP had assembled an infrastructure of 576+ elements — domains, distribution points, harvesting backends — spanning three geographic regions. Two known operators have been confirmed, though the full structure of the group remains under active investigation by Group-IB researchers.
What makes Teste PHP a standout in 2026 is the scalability of their model. By combining malicious extension delivery with automated malspam campaigns, they removed the human bottleneck from credential theft. Once an extension is installed, it works without further operator effort — passively collecting credentials across every login session until detected or removed.
Key Numbers
— 576+ Infrastructure elements assembled within 9 months of first activity
— 5 Countries with confirmed Teste PHP operations (Brazil, Portugal, Chile, Spain, Mexico)
— 2+ Known operators confirmed by Group-IB investigation
— 2 Primary target verticals: banking and cryptocurrency simultaneously
Brazil (primary), Portugal, Chile, Spain, Mexico
Sustained 9-month operation deploying malicious browser extensions via automated malspam across five Portuguese and Spanish-speaking countries. Banking institutions and cryptocurrency exchanges targeted simultaneously, allowing credential harvesting at scale without requiring individual social engineering interactions with victims.
Teste PHP’s attack chain centers on the silent installation of malicious browser extensions as the primary persistence and collection mechanism. Distribution occurs through automated malspam campaigns that deliver install prompts designed to appear as legitimate browser updates or productivity tools. Once installed, the extension intercepts authenticated sessions — capturing credentials, session tokens, and cryptocurrency wallet data without requiring any further interaction with the victim.
The group operates across both Chrome-compatible extension ecosystems and targets financial platforms across two language groups simultaneously, indicating deliberate geographic breadth in targeting strategy. The 576+ infrastructure elements identified by Group-IB reflect a well-organized backend supporting multiple active campaigns across jurisdictions.
The intrusion set continues to demonstrate a highly scalable attack model centered on spear phishing, malicious links, and rogue browser extensions to compromise victims and harvest credentials at scale. By abusing browser-stored cookies, saved passwords, and authentication tokens, the operators can bypass traditional login protections and hijack active sessions with minimal user interaction. Their operational flexibility enables rapid adaptation of delivery mechanisms and infrastructure, ensuring that campaigns remain active and persistent. The stolen access is possibly monetized through dark market sales or further weaponized to support follow-on financially driven cyber campaigns. Defenders must pivot to behavioral monitoring, browser extension governance and least privilege access controls to reduce the risk of unauthorized access and session hijacking.
Deploy enterprise browser management policies that restrict extension installation to an approved allowlist. Prevent employees from installing extensions from outside the Chrome Web Store or equivalent managed repository.
Use endpoint detection and response (EDR) tooling to alert on browser extension installation events, particularly those occurring outside standard software deployment channels.
Regularly audit browser extensions installed across your organization. Flag and investigate any extension requesting broad permissions (all URLs, clipboard access, web request interception).
Organizations with operations in Brazil, Portugal, Chile, Spain, or Mexico, or those offering financial services to customers in those markets, should monitor Group-IB Threat Intelligence for Teste PHP indicators of compromise.
Train users to treat any browser-delivered prompt requesting extension installation outside of IT-approved channels as a potential social engineering attempt.
A malicious browser extension is a piece of code that runs inside the browser with elevated access to web activity. Unlike traditional malware that operates at the OS level, a browser extension sits inside the application where financial transactions happen — meaning it can observe and capture credentials, session tokens, and financial data at the point of entry, before encryption or security controls can intercept it. For an attacker, it’s a persistent, low-visibility presence that activates automatically every time the victim opens their browser.
Through automated malspam campaigns — mass email distributions that deliver install prompts designed to resemble legitimate browser update notifications or useful productivity tools. The automation removes the social engineering bottleneck: the malspam goes out at scale, and each successful install becomes a self-sustaining collection point that requires no further operator involvement.
The five-country targeting profile — Brazil, Portugal, Chile, Spain, Mexico — reflects deliberate focus on the Portuguese and Spanish-speaking financial ecosystem. These markets share language and, to varying degrees, some financial service brands, allowing Teste PHP to build extension templates and lure material that works across multiple geographies with minimal adaptation.
Detection depends on the security tooling in place. Standard antivirus products do not reliably catch malicious browser extensions — dedicated browser security tools, EDR platforms with browser monitoring capability, or enterprise extension management policies are required. Once detected, removal is straightforward, but any credentials or session tokens harvested prior to detection should be treated as compromised and rotated immediately.
There are indications suggesting that the operators use parallel cybercriminal platforms to monitor targets, configure new lures, and manage actively compromised victims. However, if Teste PHP is linked to a broader cybercriminal network remains under investigation.
Individuals who suspect their browser may be infected with a malicious extension should immediately audit installed extensions (via browser settings → extensions) and remove any they don’t recognize or didn’t personally install. Change passwords and enable multi-factor authentication on all banking and cryptocurrency accounts. If cryptocurrency assets have been accessed, contact the platform immediately — most exchanges have dedicated security response teams for account compromise incidents.
