REF6598

REF6598 is a threat cluster actively targeting the cryptocurrency sector. Elastic Security Labs described REF6598 as an intrusion set in which initial access and delivery occurred through abuse of Obsidian plugins, followed by deployment of the PHANTOMPULL in-memory PE loader and the PHANTOMPULSE Windows RAT as the final-stage payload. Elastic assessed the cluster’s targeting, tradecraft, and infrastructure as closely aligned with DPRK-linked activity, including Lazarus, BlueNoroff, UNC5342 (Contagious Interview), APT38, though the content describes alignment rather than definitive attribution. Observed tradecraft in the REF6598 chain includes in-memory loading, persistence via scheduled tasks, privilege escalation through a UAC bypass using IElevatedFactoryServer and Task Scheduler COM objects, and multiple process-injection methods. PHANTOMPULSE uses three injection techniques: PhantomInject, which stomps dbghelp.dll for shellcode execution; DbgNexum, which drives execution through the Windows Debug API; and ManualMap for DLL payloads. The malware also uses direct-syscall wrappers, hardware breakpoints with a vectored exception handler to interfere with AMSI, WLDP, and ETW, anti-sandbox checks, XOR-based obfuscation, host reconnaissance, screenshot capture, inline keylogging with clipboard monitoring, and self-healing persistence logic. REF6598 infrastructure and command-and-control tradecraft include blockchain-based C2 discovery: PHANTOMPULSE retrieves an XOR-encoded C2 URL from the latest transaction input associated with a specific wallet across Ethereum, Base, and Optimism, with fallback to a hardcoded domain if resolution fails. Elastic noted the resolver does not verify the sender, creating a potential sinkhole opportunity. Known malware and components associated with REF6598 include PHANTOMPULL and PHANTOMPULSE. Known related aliases or linked clusters mentioned in the content are Lazarus, BlueNoroff, UNC5342 / Contagious Interview, and APT38.